Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/man/man8/samba_selinux.8
diff options
context:
space:
mode:
Diffstat (limited to 'man/man8/samba_selinux.8')
-rw-r--r--man/man8/samba_selinux.856
1 files changed, 56 insertions, 0 deletions
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
new file mode 100644
index 00000000..ca702c79
--- /dev/null
+++ b/man/man8/samba_selinux.8
@@ -0,0 +1,56 @@
+.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.SH "NAME"
+samba_selinux \- Security Enhanced Linux Policy for Samba
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the Samba server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files other than home directories, those files must be
+labeled samba_share_t. So if you created a special directory /var/eng, you
+would need to label the directory with the chcon tool.
+.TP
+chcon -t samba_share_t /var/eng
+.TP
+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+.TP
+semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
+.TP
+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+.TP
+/var/eng(/.*)? system_u:object_r:samba_share_t:s0
+.TP
+Run the restorecon command to apply the changes:
+.TP
+restorecon -R -v /var/eng/
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+
+setsebool -P allow_smbd_anon_write=1
+
+.SH BOOLEANS
+.br
+SELinux policy is customizable based on least access required. So by
+default SELinux policy turns off SELinux sharing of home directories and
+the use of Samba shares from a remote machine as a home directory.
+.TP
+If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
+.br
+
+setsebool -P samba_enable_home_dirs 1
+.TP
+If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
+.br
+
+setsebool -P use_samba_home_dirs 1
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)