How do I get SELinux to allow Apache and Samba on the same folder?
Solution 1
First off, you can view the context of something with ls using ls -Z
[root@servername www]# ls -dZ /var/www
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www
Second, there are two options for giving Samba and Apache access to the same directory.
The simple way is to just allow samba read/write access everywhere with:
setsebool -P samba_export_all_rw 1
It's simple, easy, and doesn't mess with any weird properties of SELinux.
If you're concerned with Samba having full access to all directories and only want to change /var/www, try:
chcon -t public_content_rw_t /var/www
setsebool -P allow_smbd_anon_write 1
setsebool -P allow_httpd_anon_write 1
This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:
chcon -R -t public_content_rw_t /var/www
You can look through this CentOS wiki page to get hints on other SELinux booleans.
Solution 2
SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and public_content_rw_t.
These context allow any of the above domains to read the
content. If you want a particular domain to write to the public_con‐
tent_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for samba you would execute:
setsebool -P allow_smbd_anon_write=1
For example:
semanage fcontext -a -t public_content_rw_t '/var/www(/.*)?'
restorecon -R /var/www
setsebool -P allow_smbd_anon_write 1
Related videos on Youtube
Joshua Enfield
Updated on September 17, 2022Comments
-
Joshua Enfield over 1 year
In the configuration I have setup I wish to allow samba and apache to access /var/www I am able to set a context to allow samba access, but then httpd doesn't have access. Using setenforce to 0 eliminates issues so I know that it is SELinux.
In addition: How can I view the context of a folder, and can a folder have multiple contexts?
(CentOS)
-
Admin about 14 yearsHave you tried using the boolean option of system-config-selinux?
-
-
Joshua Enfield about 14 yearsI tried this and it complains that a context is already defined.
-
David about 14 yearsYou're right, it looks like things have changed since I last messed with SELinux. I'll update my answer with some other options.
-
Joel E Salas almost 11 years@Dave you saved my butt. See you at work tomorrow.
-
Greg Sheremeta about 10 yearsI wanted to mention that if your webroot is nested in a samba share, you'll need to set the context on the parent directories as well. For example:
chcon -t public_content_rw_t /mnt/share/webroot(/.*)?
chcon -t public_content_rw_t /mnt/share
-
giorgiline over 9 yearsThank you, I was struggling with something similar but with ftp, and everything works after doing
setsebool -P ftpd_full_access=1