Samba配置

https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage

安装后开放端口

1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139

发现samba可以连接，但没有显示文件列表.

于是google,发现需要设置selinux。

http://danwalsh.livejournal.com/14195.html

setenforce 0 先关闭selinux看是否正常访问，若正常，则是selinux的问题，再开启selinux,设置:

允许home目录共享:

setsebool -P samba_enable_home_dirs 1

特定目录,未测试:

chcon -R -t samba_share_t /var/eng　　

---

Reference:

Confining Samba with SELinux

November 9th, 2007

My next few blogs will be taking different confined domains and writing about the types and booleans related to that domain, I will be updating the man pages for these confined domains.  And then showing how the policy for the domain works.

samba has had a man page available for some time named samba_selinux, here is my rewrite for Fedora 7/8

> man samba_selinux

samba_selinux(8)      Samba Selinux Policy documentation      samba_selinux(8)

NAME
       samba_selinux - Securing Samba with SELinux

DESCRIPTION
      
Security-Enhanced  Linux  secures  the Samba server via flexible
mandatory access control.  SELinux Samba policy defaults to least
privilege access.  Several Booleans and file contexts are available to
customize the way Samba SELinux works.

SHARING FILES
      
SELinux requires files be labeled with an extended attribute to define
the file type.  Policy governs the access daemons have to these files.
When sharing files with Samba you have many options  on  how  to label
the files.  If you want to share files/directories other than home
directories or standard directory.  You should label these
files/directories as samba_share_t.  For example if you created the
directory /var/eng, you can label the directory and its contents with
the chcon tool.

# chcon -R -t samba_share_t /var/eng

This label will not survive a relabel.  A better solution to make the
change permanent, you must tell the SELinux system about the label
customization.  The semanage command can customize the  default  file
contexts on your machine. restorecon will read the file_context and
apply it to the files and directories..

# semanage fcontext -a -t samba_share_t ’/var/eng(/.*)?’
       # restorecon -R -v /var/eng

SHARING HOME DIRECTORIES
      
By  default  SELinux  policy  turns  off  SELinux  sharing  of  home 
directories  If  you  are  setting  up  this  machine  as  a  Samba 
server  and wish to share the home directories, you need to set the 
      samba_enable_home_dirs boolean.

# setsebool -P samba_enable_home_dirs 1

SHARING PUBLIC FILES
      
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and
public_content_rw_t.  These context allow any of the above  domains  to 
read
       the content.  If you want a particular domain to write
to the public_content_rw_t domain, you must set the appropriate
boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:

# semanage fcontext -a -t public_content_rw_t ’/var/eng(/.*)?’
       # restorecon -R -v /var/eng
       # setsebool -P allow_smbd_anon_write 1

SHARING FILES SYSTEM FILES
      
Note:  You  should  not  do  the above for standard directories or home
directories!  For example directories owned by an RPM.  If you wanted
to share /usr via Samba, changing its context and all of the sub
directories  to samba_share_t would be a bad idea.  Other confined
domains would no longer be able to read /usr and this would cause havoc
on the machine.  There are two booleans that you can set  to  allow the
sharing of standard directories.  If you want to share any standard
directory read/only you can set the boolean samba_export_all_ro.

# setsebool -P samba_export_all_ro 1

This boolean will allow Samba to read every file on the
system.Similarly if you want to share all files and directories via
Samba, you set the samba_export_all_rw

# setsebool -P samba_export_all_rw 1

This boolean would allow Samba to read and write every file on your
system.  So a compromised Samba server would be very dangerous.

SHARING PUBLIC NFS FILES
      
SELinux prevents the Samba daemons from reading/writing nfs shares by
default.  If you are using samba to share NFS file systems you need to
turn on the samba_share_nfs boolean

# setsebool -P samba_share_nfs 1

USING CIFS/SAMBA HOME DIRECTORIES
      
Samba  SELinux  policy will not allow any confined applications to
access remote samba shares mounted on your machine.  If you want to use a
remote Samba server for the home directories on this machine, you must
set the use_samba_home_dirs boolean.

# setsebool -P use_samba_home_dirs 1

SAMBA Scripts
      
Samba can be setup to run user defined scripts, by default if you
install these scripts /var/lib/samba/scripts they will be labeled
samba_unconfined_script_exec_t.  Since these scripts  can  do  just 
about  anything on the system you can run them as unconfined.  But you
need to turn on the samba_run_unconfined boolean

# setsebool -P samba_run_unconfined 1

If  you  are  willing  to  write  policy  an  interface  exists  in 
samba.if  called  samba_helper_template(APP).   This  interface  will 
create  a file context of samba_APP_script_exec_t, and a domain of
samba_APP_script_t. Samba will transition scripts labeled
samba_app_script_exec_t to samba_APP_script_t, you can then user
audit2allow to write policy to confine your script.

USING SAMBA AS A DOMAIN CONTROLLER
      
If you want to run samba as a domain controller, IE Add machines to the
passwd file on a Linux box, you need to turn on the
samba_domain_controller boolean.  This allows the Samba daemon to run
and  transition to the passwd, useradd, and groupadd utilities.  These
tools can manipulate the passwd database.

GUI system-config-selinux
       system-config-selinux is a GUI tool available to customize all of the SELinux booleans and file context described above.

AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO
       selinux(8), semanage(8), samba(7), chcon(1), setsebool(8), restorecon(8),

dwalsh@redhat.com                 9 Nov 2007                  samba_selinux(8)