1smbd_selinux(8) SELinux Policy smbd smbd_selinux(8)
2
6 smbd_selinux - Security Enhanced Linux Policy for the smbd processes
7
9 Security-Enhanced Linux secures the smbd processes via flexible manda‐
10 tory access control.
11 The smbd processes execute with the smbd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep smbd_t
19
23 The smbd_t SELinux type can be entered via the smbd_exec_t file type.
24 The default entrypoint paths for the smbd_t domain are the following:
26 /usr/sbin/smbd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 smbd policy is very flexible allowing users to setup their smbd pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for smbd:
40 smbd_t
42 Note: semanage permissive -a smbd_t can be used to make the process
44 type smbd_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. smbd
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run smbd with the tightest access possible.
53 If you want to dontaudit all daemons scheduling requests (setsched,
57 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
58 Enabled by default.
59 setsebool -P daemons_dontaudit_scheduling 1
61 If you want to allow all domains to execute in fips_mode, you must turn
65 on the fips_mode boolean. Enabled by default.
66 setsebool -P fips_mode 1
68 If you want to allow confined applications to run with kerberos, you
72 must turn on the kerberos_enabled boolean. Enabled by default.
73 setsebool -P kerberos_enabled 1
75 If you want to allow system to run with NIS, you must turn on the
79 nis_enabled boolean. Disabled by default.
80 setsebool -P nis_enabled 1
82 If you want to allow samba to create new home directories (e.g. via
86 PAM), you must turn on the samba_create_home_dirs boolean. Disabled by
87 default.
88 setsebool -P samba_create_home_dirs 1
90 If you want to allow samba to act as the domain controller, add users,
94 groups and change passwords, you must turn on the samba_domain_con‐
95 troller boolean. Disabled by default.
96 setsebool -P samba_domain_controller 1
98 If you want to allow samba and winbind-rpcd to share users home direc‐
102 tories, you must turn on the samba_enable_home_dirs boolean. Disabled
103 by default.
104 setsebool -P samba_enable_home_dirs 1
106 If you want to allow samba to share any file/directory read only, you
110 must turn on the samba_export_all_ro boolean. Disabled by default.
111 setsebool -P samba_export_all_ro 1
113 If you want to allow samba to share any file/directory read/write, you
117 must turn on the samba_export_all_rw boolean. Disabled by default.
118 setsebool -P samba_export_all_rw 1
120 If you want to allow smbd to load libgfapi from gluster, you must turn
124 on the samba_load_libgfapi boolean. Disabled by default.
125 setsebool -P samba_load_libgfapi 1
127 If you want to allow samba to act as a portmapper, you must turn on the
131 samba_portmapper boolean. Disabled by default.
132 setsebool -P samba_portmapper 1
134 If you want to allow samba to run unconfined scripts, you must turn on
138 the samba_run_unconfined boolean. Disabled by default.
139 setsebool -P samba_run_unconfined 1
141 If you want to allow samba to export ntfs/fusefs volumes, you must turn
145 on the samba_share_fusefs boolean. Disabled by default.
146 setsebool -P samba_share_fusefs 1
148 If you want to allow samba to export NFS volumes, you must turn on the
152 samba_share_nfs boolean. Disabled by default.
153 setsebool -P samba_share_nfs 1
155
159 SELinux defines port types to represent TCP and UDP ports.
160 You can see the types associated with a port by using the following
162 command:
163 semanage port -l
165 Policy governs the access confined processes have to these ports.
168 SELinux smbd policy is very flexible allowing users to setup their smbd
169 processes in as secure a method as possible.
170 The following port types are defined for smbd:
172 smbd_port_t
175 Default Defined Ports:
179 tcp 445,137-139
180
182 The SELinux process type smbd_t can manage files labeled with the fol‐
183 lowing file types. The paths listed are the default paths for these
184 file types. Note the processes UID still need to have DAC permissions.
185 auth_cache_t
187 /var/cache/coolkey(/.*)?
189 cluster_conf_t
191 /etc/cluster(/.*)?
193 cluster_var_lib_t
195 /var/lib/pcsd(/.*)?
197 /var/lib/cluster(/.*)?
198 /var/lib/openais(/.*)?
199 /var/lib/pengine(/.*)?
200 /var/lib/corosync(/.*)?
201 /usr/lib/heartbeat(/.*)?
202 /var/lib/heartbeat(/.*)?
203 /var/lib/pacemaker(/.*)?
204 cluster_var_run_t
206 /var/run/crm(/.*)?
208 /var/run/cman_.*
209 /var/run/rsctmp(/.*)?
210 /var/run/aisexec.*
211 /var/run/heartbeat(/.*)?
212 /var/run/pcsd-ruby.socket
213 /var/run/corosync-qnetd(/.*)?
214 /var/run/corosync-qdevice(/.*)?
215 /var/run/corosync.pid
216 /var/run/cpglockd.pid
217 /var/run/rgmanager.pid
218 /var/run/cluster/rgmanager.sk
219 ctdbd_var_lib_t
221 /var/lib/ctdb(/.*)?
223 /var/lib/ctdbd(/.*)?
224 faillog_t
226 /var/log/btmp.*
228 /var/log/faillog.*
229 /var/log/tallylog.*
230 /var/run/faillock(/.*)?
231 fusefs_t
233 /var/run/user/[0-9]+/gvfs
235 glusterd_var_lib_t
237 /var/lib/glusterd(/.*)?
239 glusterd_var_run_t
241 /var/run/gluster(/.*)?
243 /var/run/glusterd.*
244 /var/run/glusterd.*
245 /var/run/glusterd(/.*)?
246 httpd_user_content_t
248 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
250 initrc_var_run_t
252 /var/run/utmp
254 /var/run/random-seed
255 /var/run/runlevel.dir
256 /var/run/setmixer_flag
257 krb5_host_rcache_t
259 /var/tmp/krb5_0.rcache2
261 /var/cache/krb5rcache(/.*)?
262 /var/tmp/nfs_0
263 /var/tmp/DNS_25
264 /var/tmp/host_0
265 /var/tmp/imap_0
266 /var/tmp/HTTP_23
267 /var/tmp/HTTP_48
268 /var/tmp/ldap_55
269 /var/tmp/ldap_487
270 /var/tmp/ldapmap1_0
271 nfs_t
273 nmbd_var_run_t
276 /var/run/nmbd(/.*)?
278 /var/run/samba/nmbd(/.*)?
279 /var/run/samba/nmbd.pid
280 /var/run/samba/messages.tdb
281 /var/run/samba/namelist.debug
282 /var/run/samba/unexpected.tdb
283 non_security_file_type
285 noxattrfs
288 all files on file systems which do not support extended attributes
290 root_t
292 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
294 /
295 /initrd
296 samba_log_t
298 /var/log/samba(/.*)?
300 samba_secrets_t
302 /etc/samba/smbpasswd
304 /etc/samba/passdb.tdb
305 /etc/samba/MACHINE.SID
306 /etc/samba/secrets.tdb
307 samba_share_t
309 use this label for random content that will be shared using samba
311 samba_spool_t
313 /var/spool/samba(/.*)?
315 security_t
317 /selinux
319 smbd_tmp_t
321 smbd_tmpfs_t
324 smbd_var_run_t
327 /var/run/samba(/.*)?
329 /var/run/samba/smbd.pid
330 /var/run/samba/brlock.tdb
331 /var/run/samba/locking.tdb
332 /var/run/samba/gencache.tdb
333 /var/run/samba/sessionid.tdb
334 /var/run/samba/share_info.tdb
335 /var/run/samba/connections.tdb
336 user_home_type
338 all user home files
340 wtmp_t
342 /var/log/wtmp.*
344
347 SELinux requires files to have an extended attribute to define the file
348 type.
349 You can see the context of a file using the -Z option to ls
351 Policy governs the access confined processes have to these files.
353 SELinux smbd policy is very flexible allowing users to setup their smbd
354 processes in as secure a method as possible.
355 EQUIVALENCE DIRECTORIES
357 smbd policy stores data with multiple different file context types un‐
360 der the /var/run/samba directory. If you would like to store the data
361 in a different directory you can use the semanage command to create an
362 equivalence mapping. If you wanted to store this data under the /srv
363 directory you would execute the following command:
364 semanage fcontext -a -e /var/run/samba /srv/samba
366 restorecon -R -v /srv/samba
367 STANDARD FILE CONTEXT
369 SELinux defines the file context types for the smbd, if you wanted to
371 store files with these types in a different paths, you need to execute
372 the semanage command to specify alternate labeling and then use re‐
373 storecon to put the labels on disk.
374 semanage fcontext -a -t smbd_exec_t '/srv/smbd/content(/.*)?'
376 restorecon -R -v /srv/mysmbd_content
377 Note: SELinux often uses regular expressions to specify labels that
379 match multiple files.
380 The following file types are defined for smbd:
382 smbd_exec_t
386 - Set files with the smbd_exec_t type, if you want to transition an ex‐
388 ecutable to the smbd_t domain.
389 smbd_keytab_t
393 - Set files with the smbd_keytab_t type, if you want to treat the files
395 as kerberos keytab files.
396 smbd_tmp_t
400 - Set files with the smbd_tmp_t type, if you want to store smbd tempo‐
402 rary files in the /tmp directories.
403 smbd_tmpfs_t
407 - Set files with the smbd_tmpfs_t type, if you want to store smbd files
409 on a tmpfs file system.
410 smbd_var_run_t
414 - Set files with the smbd_var_run_t type, if you want to store the smbd
416 files under the /run or /var/run directory.
417 Paths:
420 /var/run/samba(/.*)?, /var/run/samba/smbd.pid, /var/run/samba/br‐
421 lock.tdb, /var/run/samba/locking.tdb, /var/run/samba/gencache.tdb,
422 /var/run/samba/sessionid.tdb, /var/run/samba/share_info.tdb,
423 /var/run/samba/connections.tdb
424 Note: File context can be temporarily modified with the chcon command.
427 If you want to permanently change the file context you need to use the
428 semanage fcontext command. This will modify the SELinux labeling data‐
429 base. You will need to use restorecon to apply the labels.
430
433 If you want to share files with multiple domains (Apache, FTP, rsync,
434 Samba), you can set a file context of public_content_t and public_con‐
435 tent_rw_t. These context allow any of the above domains to read the
436 content. If you want a particular domain to write to the public_con‐
437 tent_rw_t domain, you must set the appropriate boolean.
438 Allow smbd servers to read the /var/smbd directory by adding the pub‐
440 lic_content_t file type to the directory and by restoring the file
441 type.
442 semanage fcontext -a -t public_content_t "/var/smbd(/.*)?"
444 restorecon -F -R -v /var/smbd
445 Allow smbd servers to read and write /var/smbd/incoming by adding the
447 public_content_rw_t type to the directory and by restoring the file
448 type. You also need to turn on the smbd_anon_write boolean.
449 semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?"
451 restorecon -F -R -v /var/smbd/incoming
452 setsebool -P smbd_anon_write 1
453 If you want to allow samba to modify public files used for public file
456 transfer services. Files/Directories must be labeled public_con‐
457 tent_rw_t., you must turn on the smbd_anon_write boolean.
458 setsebool -P smbd_anon_write 1
460
463 semanage fcontext can also be used to manipulate default file context
464 mappings.
465 semanage permissive can also be used to manipulate whether or not a
467 process type is permissive.
468 semanage module can also be used to enable/disable/install/remove pol‐
470 icy modules.
471 semanage port can also be used to manipulate the port definitions
473 semanage boolean can also be used to manipulate the booleans
475 system-config-selinux is a GUI tool available to customize SELinux pol‐
478 icy settings.
479
482 This manual page was auto-generated using sepolicy manpage .
483
486 selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
487 setsebool(8)
488smbd 23-12-15 smbd_selinux(8)