1smbd_selinux(8)               SELinux Policy smbd              smbd_selinux(8)
2
3
4

NAME

6       smbd_selinux - Security Enhanced Linux Policy for the smbd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the smbd processes via flexible manda‐
10       tory access control.
11
12       The smbd processes execute with the smbd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep smbd_t
19
20
21

ENTRYPOINTS

23       The smbd_t SELinux type can be entered via the smbd_exec_t file type.
24
25       The default entrypoint paths for the smbd_t domain are the following:
26
27       /usr/sbin/smbd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       smbd policy is very flexible allowing users to setup  their  smbd  pro‐
37       cesses in as secure a method as possible.
38
39       The following process types are defined for smbd:
40
41       smbd_t
42
43       Note:  semanage  permissive  -a  smbd_t can be used to make the process
44       type smbd_t permissive. SELinux does  not  deny  access  to  permissive
45       process  types, but the AVC (SELinux denials) messages are still gener‐
46       ated.
47
48

BOOLEANS

50       SELinux policy is customizable based on least  access  required.   smbd
51       policy is extremely flexible and has several booleans that allow you to
52       manipulate the policy and run smbd with the tightest access possible.
53
54
55
56       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
57       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
58       Enabled by default.
59
60       setsebool -P daemons_dontaudit_scheduling 1
61
62
63
64       If you want to allow all domains to execute in fips_mode, you must turn
65       on the fips_mode boolean. Enabled by default.
66
67       setsebool -P fips_mode 1
68
69
70
71       If  you  want  to allow confined applications to run with kerberos, you
72       must turn on the kerberos_enabled boolean. Enabled by default.
73
74       setsebool -P kerberos_enabled 1
75
76
77
78       If you want to allow system to run with  NIS,  you  must  turn  on  the
79       nis_enabled boolean. Disabled by default.
80
81       setsebool -P nis_enabled 1
82
83
84
85       If  you  want  to  allow samba to create new home directories (e.g. via
86       PAM), you must turn on the samba_create_home_dirs boolean. Disabled  by
87       default.
88
89       setsebool -P samba_create_home_dirs 1
90
91
92
93       If  you want to allow samba to act as the domain controller, add users,
94       groups and change passwords, you must  turn  on  the  samba_domain_con‐
95       troller boolean. Disabled by default.
96
97       setsebool -P samba_domain_controller 1
98
99
100
101       If  you want to allow samba and winbind-rpcd to share users home direc‐
102       tories, you must turn on the samba_enable_home_dirs  boolean.  Disabled
103       by default.
104
105       setsebool -P samba_enable_home_dirs 1
106
107
108
109       If  you  want to allow samba to share any file/directory read only, you
110       must turn on the samba_export_all_ro boolean. Disabled by default.
111
112       setsebool -P samba_export_all_ro 1
113
114
115
116       If you want to allow samba to share any file/directory read/write,  you
117       must turn on the samba_export_all_rw boolean. Disabled by default.
118
119       setsebool -P samba_export_all_rw 1
120
121
122
123       If  you want to allow smbd to load libgfapi from gluster, you must turn
124       on the samba_load_libgfapi boolean. Disabled by default.
125
126       setsebool -P samba_load_libgfapi 1
127
128
129
130       If you want to allow samba to act as a portmapper, you must turn on the
131       samba_portmapper boolean. Disabled by default.
132
133       setsebool -P samba_portmapper 1
134
135
136
137       If  you want to allow samba to run unconfined scripts, you must turn on
138       the samba_run_unconfined boolean. Disabled by default.
139
140       setsebool -P samba_run_unconfined 1
141
142
143
144       If you want to allow samba to export ntfs/fusefs volumes, you must turn
145       on the samba_share_fusefs boolean. Disabled by default.
146
147       setsebool -P samba_share_fusefs 1
148
149
150
151       If  you want to allow samba to export NFS volumes, you must turn on the
152       samba_share_nfs boolean. Disabled by default.
153
154       setsebool -P samba_share_nfs 1
155
156
157

PORT TYPES

159       SELinux defines port types to represent TCP and UDP ports.
160
161       You can see the types associated with a port  by  using  the  following
162       command:
163
164       semanage port -l
165
166
167       Policy  governs  the  access  confined  processes  have to these ports.
168       SELinux smbd policy is very flexible allowing users to setup their smbd
169       processes in as secure a method as possible.
170
171       The following port types are defined for smbd:
172
173
174       smbd_port_t
175
176
177
178       Default Defined Ports:
179                 tcp 445,137-139
180

MANAGED FILES

182       The  SELinux process type smbd_t can manage files labeled with the fol‐
183       lowing file types.  The paths listed are the default  paths  for  these
184       file types.  Note the processes UID still need to have DAC permissions.
185
186       auth_cache_t
187
188            /var/cache/coolkey(/.*)?
189
190       cluster_conf_t
191
192            /etc/cluster(/.*)?
193
194       cluster_var_lib_t
195
196            /var/lib/pcsd(/.*)?
197            /var/lib/cluster(/.*)?
198            /var/lib/openais(/.*)?
199            /var/lib/pengine(/.*)?
200            /var/lib/corosync(/.*)?
201            /usr/lib/heartbeat(/.*)?
202            /var/lib/heartbeat(/.*)?
203            /var/lib/pacemaker(/.*)?
204
205       cluster_var_run_t
206
207            /var/run/crm(/.*)?
208            /var/run/cman_.*
209            /var/run/rsctmp(/.*)?
210            /var/run/aisexec.*
211            /var/run/heartbeat(/.*)?
212            /var/run/pcsd-ruby.socket
213            /var/run/corosync-qnetd(/.*)?
214            /var/run/corosync-qdevice(/.*)?
215            /var/run/corosync.pid
216            /var/run/cpglockd.pid
217            /var/run/rgmanager.pid
218            /var/run/cluster/rgmanager.sk
219
220       ctdbd_var_lib_t
221
222            /var/lib/ctdb(/.*)?
223            /var/lib/ctdbd(/.*)?
224
225       faillog_t
226
227            /var/log/btmp.*
228            /var/log/faillog.*
229            /var/log/tallylog.*
230            /var/run/faillock(/.*)?
231
232       fusefs_t
233
234            /var/run/user/[0-9]+/gvfs
235
236       glusterd_var_lib_t
237
238            /var/lib/glusterd(/.*)?
239
240       glusterd_var_run_t
241
242            /var/run/gluster(/.*)?
243            /var/run/glusterd.*
244            /var/run/glusterd.*
245            /var/run/glusterd(/.*)?
246
247       httpd_user_content_t
248
249            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
250
251       initrc_var_run_t
252
253            /var/run/utmp
254            /var/run/random-seed
255            /var/run/runlevel.dir
256            /var/run/setmixer_flag
257
258       krb5_host_rcache_t
259
260            /var/tmp/krb5_0.rcache2
261            /var/cache/krb5rcache(/.*)?
262            /var/tmp/nfs_0
263            /var/tmp/DNS_25
264            /var/tmp/host_0
265            /var/tmp/imap_0
266            /var/tmp/HTTP_23
267            /var/tmp/HTTP_48
268            /var/tmp/ldap_55
269            /var/tmp/ldap_487
270            /var/tmp/ldapmap1_0
271
272       nfs_t
273
274
275       nmbd_var_run_t
276
277            /var/run/nmbd(/.*)?
278            /var/run/samba/nmbd(/.*)?
279            /var/run/samba/nmbd.pid
280            /var/run/samba/messages.tdb
281            /var/run/samba/namelist.debug
282            /var/run/samba/unexpected.tdb
283
284       non_security_file_type
285
286
287       noxattrfs
288
289            all files on file systems which do not support extended attributes
290
291       root_t
292
293            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
294            /
295            /initrd
296
297       samba_log_t
298
299            /var/log/samba(/.*)?
300
301       samba_secrets_t
302
303            /etc/samba/smbpasswd
304            /etc/samba/passdb.tdb
305            /etc/samba/MACHINE.SID
306            /etc/samba/secrets.tdb
307
308       samba_share_t
309
310            use this label for random content that will be shared using samba
311
312       samba_spool_t
313
314            /var/spool/samba(/.*)?
315
316       security_t
317
318            /selinux
319
320       smbd_tmp_t
321
322
323       smbd_tmpfs_t
324
325
326       smbd_var_run_t
327
328            /var/run/samba(/.*)?
329            /var/run/samba/smbd.pid
330            /var/run/samba/brlock.tdb
331            /var/run/samba/locking.tdb
332            /var/run/samba/gencache.tdb
333            /var/run/samba/sessionid.tdb
334            /var/run/samba/share_info.tdb
335            /var/run/samba/connections.tdb
336
337       user_home_type
338
339            all user home files
340
341       wtmp_t
342
343            /var/log/wtmp.*
344
345

FILE CONTEXTS

347       SELinux requires files to have an extended attribute to define the file
348       type.
349
350       You can see the context of a file using the -Z option to ls
351
352       Policy governs the access  confined  processes  have  to  these  files.
353       SELinux smbd policy is very flexible allowing users to setup their smbd
354       processes in as secure a method as possible.
355
356       EQUIVALENCE DIRECTORIES
357
358
359       smbd policy stores data with multiple different file context types  un‐
360       der  the /var/run/samba directory.  If you would like to store the data
361       in a different directory you can use the semanage command to create  an
362       equivalence  mapping.   If you wanted to store this data under the /srv
363       directory you would execute the following command:
364
365       semanage fcontext -a -e /var/run/samba /srv/samba
366       restorecon -R -v /srv/samba
367
368       STANDARD FILE CONTEXT
369
370       SELinux defines the file context types for the smbd, if you  wanted  to
371       store  files with these types in a different paths, you need to execute
372       the semanage command to specify alternate labeling  and  then  use  re‐
373       storecon to put the labels on disk.
374
375       semanage fcontext -a -t smbd_exec_t '/srv/smbd/content(/.*)?'
376       restorecon -R -v /srv/mysmbd_content
377
378       Note:  SELinux  often  uses  regular expressions to specify labels that
379       match multiple files.
380
381       The following file types are defined for smbd:
382
383
384
385       smbd_exec_t
386
387       - Set files with the smbd_exec_t type, if you want to transition an ex‐
388       ecutable to the smbd_t domain.
389
390
391
392       smbd_keytab_t
393
394       - Set files with the smbd_keytab_t type, if you want to treat the files
395       as kerberos keytab files.
396
397
398
399       smbd_tmp_t
400
401       - Set files with the smbd_tmp_t type, if you want to store smbd  tempo‐
402       rary files in the /tmp directories.
403
404
405
406       smbd_tmpfs_t
407
408       - Set files with the smbd_tmpfs_t type, if you want to store smbd files
409       on a tmpfs file system.
410
411
412
413       smbd_var_run_t
414
415       - Set files with the smbd_var_run_t type, if you want to store the smbd
416       files under the /run or /var/run directory.
417
418
419       Paths:
420            /var/run/samba(/.*)?,  /var/run/samba/smbd.pid, /var/run/samba/br‐
421            lock.tdb, /var/run/samba/locking.tdb, /var/run/samba/gencache.tdb,
422            /var/run/samba/sessionid.tdb,       /var/run/samba/share_info.tdb,
423            /var/run/samba/connections.tdb
424
425
426       Note: File context can be temporarily modified with the chcon  command.
427       If  you want to permanently change the file context you need to use the
428       semanage fcontext command.  This will modify the SELinux labeling data‐
429       base.  You will need to use restorecon to apply the labels.
430
431

SHARING FILES

433       If  you  want to share files with multiple domains (Apache, FTP, rsync,
434       Samba), you can set a file context of public_content_t and  public_con‐
435       tent_rw_t.   These  context  allow any of the above domains to read the
436       content.  If you want a particular domain to write to  the  public_con‐
437       tent_rw_t domain, you must set the appropriate boolean.
438
439       Allow  smbd  servers to read the /var/smbd directory by adding the pub‐
440       lic_content_t file type to the directory  and  by  restoring  the  file
441       type.
442
443       semanage fcontext -a -t public_content_t "/var/smbd(/.*)?"
444       restorecon -F -R -v /var/smbd
445
446       Allow  smbd  servers to read and write /var/smbd/incoming by adding the
447       public_content_rw_t type to the directory and  by  restoring  the  file
448       type.  You also need to turn on the smbd_anon_write boolean.
449
450       semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?"
451       restorecon -F -R -v /var/smbd/incoming
452       setsebool -P smbd_anon_write 1
453
454
455       If  you want to allow samba to modify public files used for public file
456       transfer  services.   Files/Directories  must  be  labeled  public_con‐
457       tent_rw_t., you must turn on the smbd_anon_write boolean.
458
459       setsebool -P smbd_anon_write 1
460
461

COMMANDS

463       semanage  fcontext  can also be used to manipulate default file context
464       mappings.
465
466       semanage permissive can also be used to manipulate  whether  or  not  a
467       process type is permissive.
468
469       semanage  module can also be used to enable/disable/install/remove pol‐
470       icy modules.
471
472       semanage port can also be used to manipulate the port definitions
473
474       semanage boolean can also be used to manipulate the booleans
475
476
477       system-config-selinux is a GUI tool available to customize SELinux pol‐
478       icy settings.
479
480

AUTHOR

482       This manual page was auto-generated using sepolicy manpage .
483
484

SEE ALSO

486       selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
487       setsebool(8)
488
489
490
491smbd                               23-10-20                    smbd_selinux(8)
Impressum