smbd_selinux(8)

1smbd_selinux(8)               SELinux Policy smbd              smbd_selinux(8)
2
3
4

NAME

6       smbd_selinux - Security Enhanced Linux Policy for the smbd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the smbd processes via flexible manda‐
10       tory access control.
11
12       The smbd processes execute with the smbd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep smbd_t
19
20
21

ENTRYPOINTS

23       The smbd_t SELinux type can be entered via the smbd_exec_t file type.
24
25       The default entrypoint paths for the smbd_t domain are the following:
26
27       /usr/sbin/smbd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       smbd policy is very flexible allowing users to setup  their  smbd  pro‐
37       cesses in as secure a method as possible.
38
39       The following process types are defined for smbd:
40
41       smbd_t
42
43       Note:  semanage  permissive  -a  smbd_t can be used to make the process
44       type smbd_t permissive. SELinux does  not  deny  access  to  permissive
45       process  types, but the AVC (SELinux denials) messages are still gener‐
46       ated.
47
48

BOOLEANS

50       SELinux policy is customizable based on least  access  required.   smbd
51       policy is extremely flexible and has several booleans that allow you to
52       manipulate the policy and run smbd with the tightest access possible.
53
54
55
56       If you want to allow all domains to execute in fips_mode, you must turn
57       on the fips_mode boolean. Enabled by default.
58
59       setsebool -P fips_mode 1
60
61
62
63       If  you  want  to allow confined applications to run with kerberos, you
64       must turn on the kerberos_enabled boolean. Enabled by default.
65
66       setsebool -P kerberos_enabled 1
67
68
69
70       If you want to allow samba to create new  home  directories  (e.g.  via
71       PAM),  you must turn on the samba_create_home_dirs boolean. Disabled by
72       default.
73
74       setsebool -P samba_create_home_dirs 1
75
76
77
78       If you want to allow samba to act as the domain controller, add  users,
79       groups  and  change  passwords,  you must turn on the samba_domain_con‐
80       troller boolean. Disabled by default.
81
82       setsebool -P samba_domain_controller 1
83
84
85
86       If you want to allow samba and winbind-rpcd to share users home  direc‐
87       tories,  you  must turn on the samba_enable_home_dirs boolean. Disabled
88       by default.
89
90       setsebool -P samba_enable_home_dirs 1
91
92
93
94       If you want to allow samba to share any file/directory read  only,  you
95       must turn on the samba_export_all_ro boolean. Disabled by default.
96
97       setsebool -P samba_export_all_ro 1
98
99
100
101       If  you want to allow samba to share any file/directory read/write, you
102       must turn on the samba_export_all_rw boolean. Disabled by default.
103
104       setsebool -P samba_export_all_rw 1
105
106
107
108       If you want to allow smbd to load libgfapi from gluster, you must  turn
109       on the samba_load_libgfapi boolean. Disabled by default.
110
111       setsebool -P samba_load_libgfapi 1
112
113
114
115       If you want to allow samba to act as a portmapper, you must turn on the
116       samba_portmapper boolean. Disabled by default.
117
118       setsebool -P samba_portmapper 1
119
120
121
122       If you want to allow samba to run unconfined scripts, you must turn  on
123       the samba_run_unconfined boolean. Disabled by default.
124
125       setsebool -P samba_run_unconfined 1
126
127
128
129       If you want to allow samba to export ntfs/fusefs volumes, you must turn
130       on the samba_share_fusefs boolean. Disabled by default.
131
132       setsebool -P samba_share_fusefs 1
133
134
135
136       If you want to allow samba to export NFS volumes, you must turn on  the
137       samba_share_nfs boolean. Disabled by default.
138
139       setsebool -P samba_share_nfs 1
140
141
142

PORT TYPES

144       SELinux defines port types to represent TCP and UDP ports.
145
146       You  can  see  the  types associated with a port by using the following
147       command:
148
149       semanage port -l
150
151
152       Policy governs the access  confined  processes  have  to  these  ports.
153       SELinux smbd policy is very flexible allowing users to setup their smbd
154       processes in as secure a method as possible.
155
156       The following port types are defined for smbd:
157
158
159       smbd_port_t
160
161
162
163       Default Defined Ports:
164                 tcp 445,137-139
165

MANAGED FILES

167       The SELinux process type smbd_t can manage files labeled with the  fol‐
168       lowing  file  types.   The paths listed are the default paths for these
169       file types.  Note the processes UID still need to have DAC permissions.
170
171       auth_cache_t
172
173            /var/cache/coolkey(/.*)?
174
175       cluster_conf_t
176
177            /etc/cluster(/.*)?
178
179       cluster_var_lib_t
180
181            /var/lib/pcsd(/.*)?
182            /var/lib/cluster(/.*)?
183            /var/lib/openais(/.*)?
184            /var/lib/pengine(/.*)?
185            /var/lib/corosync(/.*)?
186            /usr/lib/heartbeat(/.*)?
187            /var/lib/heartbeat(/.*)?
188            /var/lib/pacemaker(/.*)?
189
190       cluster_var_run_t
191
192            /var/run/crm(/.*)?
193            /var/run/cman_.*
194            /var/run/rsctmp(/.*)?
195            /var/run/aisexec.*
196            /var/run/heartbeat(/.*)?
197            /var/run/pcsd-ruby.socket
198            /var/run/corosync-qnetd(/.*)?
199            /var/run/corosync-qdevice(/.*)?
200            /var/run/corosync.pid
201            /var/run/cpglockd.pid
202            /var/run/rgmanager.pid
203            /var/run/cluster/rgmanager.sk
204
205       ctdbd_var_lib_t
206
207            /var/lib/ctdb(/.*)?
208            /var/lib/ctdbd(/.*)?
209
210       faillog_t
211
212            /var/log/btmp.*
213            /var/log/faillog.*
214            /var/log/tallylog.*
215            /var/run/faillock(/.*)?
216
217       fusefs_t
218
219            /var/run/user/[0-9]+/gvfs
220
221       glusterd_var_lib_t
222
223            /var/lib/glusterd(/.*)?
224
225       glusterd_var_run_t
226
227            /var/run/gluster(/.*)?
228            /var/run/glusterd.*
229            /var/run/glusterd.*
230            /var/run/glusterd(/.*)?
231
232       httpd_user_content_t
233
234            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
235
236       initrc_var_run_t
237
238            /var/run/utmp
239            /var/run/random-seed
240            /var/run/runlevel.dir
241            /var/run/setmixer_flag
242
243       krb5_host_rcache_t
244
245            /var/tmp/krb5_0.rcache2
246            /var/cache/krb5rcache(/.*)?
247            /var/tmp/nfs_0
248            /var/tmp/DNS_25
249            /var/tmp/host_0
250            /var/tmp/imap_0
251            /var/tmp/HTTP_23
252            /var/tmp/HTTP_48
253            /var/tmp/ldap_55
254            /var/tmp/ldap_487
255            /var/tmp/ldapmap1_0
256
257       nfs_t
258
259
260       nmbd_var_run_t
261
262            /var/run/nmbd(/.*)?
263            /var/run/samba/nmbd(/.*)?
264            /var/run/samba/nmbd.pid
265            /var/run/samba/messages.tdb
266            /var/run/samba/namelist.debug
267            /var/run/samba/unexpected.tdb
268
269       non_security_file_type
270
271
272       noxattrfs
273
274            all files on file systems which do not support extended attributes
275
276       root_t
277
278            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
279            /
280            /initrd
281
282       samba_log_t
283
284            /var/log/samba(/.*)?
285
286       samba_secrets_t
287
288            /etc/samba/smbpasswd
289            /etc/samba/passdb.tdb
290            /etc/samba/MACHINE.SID
291            /etc/samba/secrets.tdb
292
293       samba_share_t
294
295            use this label for random content that will be shared using samba
296
297       samba_spool_t
298
299            /var/spool/samba(/.*)?
300
301       security_t
302
303            /selinux
304
305       smbd_tmp_t
306
307
308       smbd_tmpfs_t
309
310
311       smbd_var_run_t
312
313            /var/run/samba(/.*)?
314            /var/run/samba/smbd.pid
315            /var/run/samba/brlock.tdb
316            /var/run/samba/locking.tdb
317            /var/run/samba/gencache.tdb
318            /var/run/samba/sessionid.tdb
319            /var/run/samba/share_info.tdb
320            /var/run/samba/connections.tdb
321
322       user_home_type
323
324            all user home files
325
326       wtmp_t
327
328            /var/log/wtmp.*
329
330

FILE CONTEXTS

332       SELinux requires files to have an extended attribute to define the file
333       type.
334
335       You can see the context of a file using the -Z option to ls
336
337       Policy  governs  the  access  confined  processes  have to these files.
338       SELinux smbd policy is very flexible allowing users to setup their smbd
339       processes in as secure a method as possible.
340
341       EQUIVALENCE DIRECTORIES
342
343
344       smbd  policy stores data with multiple different file context types un‐
345       der the /var/run/samba directory.  If you would like to store the  data
346       in  a different directory you can use the semanage command to create an
347       equivalence mapping.  If you wanted to store this data under  the  /srv
348       directory you would execute the following command:
349
350       semanage fcontext -a -e /var/run/samba /srv/samba
351       restorecon -R -v /srv/samba
352
353       STANDARD FILE CONTEXT
354
355       SELinux  defines  the file context types for the smbd, if you wanted to
356       store files with these types in a diffent paths, you  need  to  execute
357       the  semanage  command  to  specify alternate labeling and then use re‐
358       storecon to put the labels on disk.
359
360       semanage fcontext -a -t smbd_var_run_t '/srv/mysmbd_content(/.*)?'
361       restorecon -R -v /srv/mysmbd_content
362
363       Note: SELinux often uses regular expressions  to  specify  labels  that
364       match multiple files.
365
366       The following file types are defined for smbd:
367
368
369
370       smbd_exec_t
371
372       - Set files with the smbd_exec_t type, if you want to transition an ex‐
373       ecutable to the smbd_t domain.
374
375
376
377       smbd_keytab_t
378
379       - Set files with the smbd_keytab_t type, if you want to treat the files
380       as kerberos keytab files.
381
382
383
384       smbd_tmp_t
385
386       -  Set files with the smbd_tmp_t type, if you want to store smbd tempo‐
387       rary files in the /tmp directories.
388
389
390
391       smbd_tmpfs_t
392
393       - Set files with the smbd_tmpfs_t type, if you want to store smbd files
394       on a tmpfs file system.
395
396
397
398       smbd_var_run_t
399
400       - Set files with the smbd_var_run_t type, if you want to store the smbd
401       files under the /run or /var/run directory.
402
403
404       Paths:
405            /var/run/samba(/.*)?, /var/run/samba/smbd.pid,  /var/run/samba/br‐
406            lock.tdb, /var/run/samba/locking.tdb, /var/run/samba/gencache.tdb,
407            /var/run/samba/sessionid.tdb,       /var/run/samba/share_info.tdb,
408            /var/run/samba/connections.tdb
409
410
411       Note:  File context can be temporarily modified with the chcon command.
412       If you want to permanently change the file context you need to use  the
413       semanage fcontext command.  This will modify the SELinux labeling data‐
414       base.  You will need to use restorecon to apply the labels.
415
416

SHARING FILES

418       If you want to share files with multiple domains (Apache,  FTP,  rsync,
419       Samba),  you can set a file context of public_content_t and public_con‐
420       tent_rw_t.  These context allow any of the above domains  to  read  the
421       content.   If  you want a particular domain to write to the public_con‐
422       tent_rw_t domain, you must set the appropriate boolean.
423
424       Allow smbd servers to read the /var/smbd directory by adding  the  pub‐
425       lic_content_t  file  type  to  the  directory and by restoring the file
426       type.
427
428       semanage fcontext -a -t public_content_t "/var/smbd(/.*)?"
429       restorecon -F -R -v /var/smbd
430
431       Allow smbd servers to read and write /var/smbd/incoming by  adding  the
432       public_content_rw_t  type  to  the  directory and by restoring the file
433       type.  You also need to turn on the smbd_anon_write boolean.
434
435       semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?"
436       restorecon -F -R -v /var/smbd/incoming
437       setsebool -P smbd_anon_write 1
438
439
440       If you want to allow samba to modify public files used for public  file
441       transfer  services.   Files/Directories  must  be  labeled  public_con‐
442       tent_rw_t., you must turn on the smbd_anon_write boolean.
443
444       setsebool -P smbd_anon_write 1
445
446

COMMANDS

448       semanage fcontext can also be used to manipulate default  file  context
449       mappings.
450
451       semanage  permissive  can  also  be used to manipulate whether or not a
452       process type is permissive.
453
454       semanage module can also be used to enable/disable/install/remove  pol‐
455       icy modules.
456
457       semanage port can also be used to manipulate the port definitions
458
459       semanage boolean can also be used to manipulate the booleans
460
461
462       system-config-selinux is a GUI tool available to customize SELinux pol‐
463       icy settings.
464
465

AUTHOR

467       This manual page was auto-generated using sepolicy manpage .
468
469