1smbd_selinux(8) SELinux Policy smbd smbd_selinux(8)
2
3
4
6 smbd_selinux - Security Enhanced Linux Policy for the smbd processes
7
9 Security-Enhanced Linux secures the smbd processes via flexible manda‐
10 tory access control.
11
12 The smbd processes execute with the smbd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep smbd_t
19
20
21
23 The smbd_t SELinux type can be entered via the smbd_exec_t file type.
24
25 The default entrypoint paths for the smbd_t domain are the following:
26
27 /usr/sbin/smbd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 smbd policy is very flexible allowing users to setup their smbd pro‐
37 cesses in as secure a method as possible.
38
39 The following process types are defined for smbd:
40
41 smbd_t
42
43 Note: semanage permissive -a smbd_t can be used to make the process
44 type smbd_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
48
50 SELinux policy is customizable based on least access required. smbd
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run smbd with the tightest access possible.
53
54
55
56 If you want to dontaudit all daemons scheduling requests (setsched,
57 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
58 Enabled by default.
59
60 setsebool -P daemons_dontaudit_scheduling 1
61
62
63
64 If you want to allow all domains to execute in fips_mode, you must turn
65 on the fips_mode boolean. Enabled by default.
66
67 setsebool -P fips_mode 1
68
69
70
71 If you want to allow confined applications to run with kerberos, you
72 must turn on the kerberos_enabled boolean. Enabled by default.
73
74 setsebool -P kerberos_enabled 1
75
76
77
78 If you want to allow system to run with NIS, you must turn on the
79 nis_enabled boolean. Disabled by default.
80
81 setsebool -P nis_enabled 1
82
83
84
85 If you want to allow samba to create new home directories (e.g. via
86 PAM), you must turn on the samba_create_home_dirs boolean. Disabled by
87 default.
88
89 setsebool -P samba_create_home_dirs 1
90
91
92
93 If you want to allow samba to act as the domain controller, add users,
94 groups and change passwords, you must turn on the samba_domain_con‐
95 troller boolean. Disabled by default.
96
97 setsebool -P samba_domain_controller 1
98
99
100
101 If you want to allow samba and winbind-rpcd to share users home direc‐
102 tories, you must turn on the samba_enable_home_dirs boolean. Disabled
103 by default.
104
105 setsebool -P samba_enable_home_dirs 1
106
107
108
109 If you want to allow samba to share any file/directory read only, you
110 must turn on the samba_export_all_ro boolean. Disabled by default.
111
112 setsebool -P samba_export_all_ro 1
113
114
115
116 If you want to allow samba to share any file/directory read/write, you
117 must turn on the samba_export_all_rw boolean. Disabled by default.
118
119 setsebool -P samba_export_all_rw 1
120
121
122
123 If you want to allow smbd to load libgfapi from gluster, you must turn
124 on the samba_load_libgfapi boolean. Disabled by default.
125
126 setsebool -P samba_load_libgfapi 1
127
128
129
130 If you want to allow samba to act as a portmapper, you must turn on the
131 samba_portmapper boolean. Disabled by default.
132
133 setsebool -P samba_portmapper 1
134
135
136
137 If you want to allow samba to run unconfined scripts, you must turn on
138 the samba_run_unconfined boolean. Disabled by default.
139
140 setsebool -P samba_run_unconfined 1
141
142
143
144 If you want to allow samba to export ntfs/fusefs volumes, you must turn
145 on the samba_share_fusefs boolean. Disabled by default.
146
147 setsebool -P samba_share_fusefs 1
148
149
150
151 If you want to allow samba to export NFS volumes, you must turn on the
152 samba_share_nfs boolean. Disabled by default.
153
154 setsebool -P samba_share_nfs 1
155
156
157
159 SELinux defines port types to represent TCP and UDP ports.
160
161 You can see the types associated with a port by using the following
162 command:
163
164 semanage port -l
165
166
167 Policy governs the access confined processes have to these ports.
168 SELinux smbd policy is very flexible allowing users to setup their smbd
169 processes in as secure a method as possible.
170
171 The following port types are defined for smbd:
172
173
174 smbd_port_t
175
176
177
178 Default Defined Ports:
179 tcp 445,137-139
180
182 The SELinux process type smbd_t can manage files labeled with the fol‐
183 lowing file types. The paths listed are the default paths for these
184 file types. Note the processes UID still need to have DAC permissions.
185
186 auth_cache_t
187
188 /var/cache/coolkey(/.*)?
189
190 cluster_conf_t
191
192 /etc/cluster(/.*)?
193
194 cluster_var_lib_t
195
196 /var/lib/pcsd(/.*)?
197 /var/lib/cluster(/.*)?
198 /var/lib/openais(/.*)?
199 /var/lib/pengine(/.*)?
200 /var/lib/corosync(/.*)?
201 /usr/lib/heartbeat(/.*)?
202 /var/lib/heartbeat(/.*)?
203 /var/lib/pacemaker(/.*)?
204
205 cluster_var_run_t
206
207 /var/run/crm(/.*)?
208 /var/run/cman_.*
209 /var/run/rsctmp(/.*)?
210 /var/run/aisexec.*
211 /var/run/heartbeat(/.*)?
212 /var/run/pcsd-ruby.socket
213 /var/run/corosync-qnetd(/.*)?
214 /var/run/corosync-qdevice(/.*)?
215 /var/run/corosync.pid
216 /var/run/cpglockd.pid
217 /var/run/rgmanager.pid
218 /var/run/cluster/rgmanager.sk
219
220 ctdbd_var_lib_t
221
222 /var/lib/ctdb(/.*)?
223 /var/lib/ctdbd(/.*)?
224
225 faillog_t
226
227 /var/log/btmp.*
228 /var/log/faillog.*
229 /var/log/tallylog.*
230 /var/run/faillock(/.*)?
231
232 fusefs_t
233
234 /var/run/user/[0-9]+/gvfs
235
236 glusterd_var_lib_t
237
238 /var/lib/glusterd(/.*)?
239
240 glusterd_var_run_t
241
242 /var/run/gluster(/.*)?
243 /var/run/glusterd.*
244 /var/run/glusterd.*
245 /var/run/glusterd(/.*)?
246
247 httpd_user_content_t
248
249 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
250
251 initrc_var_run_t
252
253 /var/run/utmp
254 /var/run/random-seed
255 /var/run/runlevel.dir
256 /var/run/setmixer_flag
257
258 krb5_host_rcache_t
259
260 /var/tmp/krb5_0.rcache2
261 /var/cache/krb5rcache(/.*)?
262 /var/tmp/nfs_0
263 /var/tmp/DNS_25
264 /var/tmp/host_0
265 /var/tmp/imap_0
266 /var/tmp/HTTP_23
267 /var/tmp/HTTP_48
268 /var/tmp/ldap_55
269 /var/tmp/ldap_487
270 /var/tmp/ldapmap1_0
271
272 nfs_t
273
274
275 nmbd_var_run_t
276
277 /var/run/nmbd(/.*)?
278 /var/run/samba/nmbd(/.*)?
279 /var/run/samba/nmbd.pid
280 /var/run/samba/messages.tdb
281 /var/run/samba/namelist.debug
282 /var/run/samba/unexpected.tdb
283
284 non_security_file_type
285
286
287 noxattrfs
288
289 all files on file systems which do not support extended attributes
290
291 root_t
292
293 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
294 /
295 /initrd
296
297 samba_log_t
298
299 /var/log/samba(/.*)?
300
301 samba_secrets_t
302
303 /etc/samba/smbpasswd
304 /etc/samba/passdb.tdb
305 /etc/samba/MACHINE.SID
306 /etc/samba/secrets.tdb
307
308 samba_share_t
309
310 use this label for random content that will be shared using samba
311
312 samba_spool_t
313
314 /var/spool/samba(/.*)?
315
316 security_t
317
318 /selinux
319
320 smbd_tmp_t
321
322
323 smbd_tmpfs_t
324
325
326 smbd_var_run_t
327
328 /var/run/samba(/.*)?
329 /var/run/samba/smbd.pid
330 /var/run/samba/brlock.tdb
331 /var/run/samba/locking.tdb
332 /var/run/samba/gencache.tdb
333 /var/run/samba/sessionid.tdb
334 /var/run/samba/share_info.tdb
335 /var/run/samba/connections.tdb
336
337 user_home_type
338
339 all user home files
340
341 wtmp_t
342
343 /var/log/wtmp.*
344
345
347 SELinux requires files to have an extended attribute to define the file
348 type.
349
350 You can see the context of a file using the -Z option to ls
351
352 Policy governs the access confined processes have to these files.
353 SELinux smbd policy is very flexible allowing users to setup their smbd
354 processes in as secure a method as possible.
355
356 EQUIVALENCE DIRECTORIES
357
358
359 smbd policy stores data with multiple different file context types un‐
360 der the /var/run/samba directory. If you would like to store the data
361 in a different directory you can use the semanage command to create an
362 equivalence mapping. If you wanted to store this data under the /srv
363 directory you would execute the following command:
364
365 semanage fcontext -a -e /var/run/samba /srv/samba
366 restorecon -R -v /srv/samba
367
368 STANDARD FILE CONTEXT
369
370 SELinux defines the file context types for the smbd, if you wanted to
371 store files with these types in a different paths, you need to execute
372 the semanage command to specify alternate labeling and then use re‐
373 storecon to put the labels on disk.
374
375 semanage fcontext -a -t smbd_exec_t '/srv/smbd/content(/.*)?'
376 restorecon -R -v /srv/mysmbd_content
377
378 Note: SELinux often uses regular expressions to specify labels that
379 match multiple files.
380
381 The following file types are defined for smbd:
382
383
384
385 smbd_exec_t
386
387 - Set files with the smbd_exec_t type, if you want to transition an ex‐
388 ecutable to the smbd_t domain.
389
390
391
392 smbd_keytab_t
393
394 - Set files with the smbd_keytab_t type, if you want to treat the files
395 as kerberos keytab files.
396
397
398
399 smbd_tmp_t
400
401 - Set files with the smbd_tmp_t type, if you want to store smbd tempo‐
402 rary files in the /tmp directories.
403
404
405
406 smbd_tmpfs_t
407
408 - Set files with the smbd_tmpfs_t type, if you want to store smbd files
409 on a tmpfs file system.
410
411
412
413 smbd_var_run_t
414
415 - Set files with the smbd_var_run_t type, if you want to store the smbd
416 files under the /run or /var/run directory.
417
418
419 Paths:
420 /var/run/samba(/.*)?, /var/run/samba/smbd.pid, /var/run/samba/br‐
421 lock.tdb, /var/run/samba/locking.tdb, /var/run/samba/gencache.tdb,
422 /var/run/samba/sessionid.tdb, /var/run/samba/share_info.tdb,
423 /var/run/samba/connections.tdb
424
425
426 Note: File context can be temporarily modified with the chcon command.
427 If you want to permanently change the file context you need to use the
428 semanage fcontext command. This will modify the SELinux labeling data‐
429 base. You will need to use restorecon to apply the labels.
430
431
433 If you want to share files with multiple domains (Apache, FTP, rsync,
434 Samba), you can set a file context of public_content_t and public_con‐
435 tent_rw_t. These context allow any of the above domains to read the
436 content. If you want a particular domain to write to the public_con‐
437 tent_rw_t domain, you must set the appropriate boolean.
438
439 Allow smbd servers to read the /var/smbd directory by adding the pub‐
440 lic_content_t file type to the directory and by restoring the file
441 type.
442
443 semanage fcontext -a -t public_content_t "/var/smbd(/.*)?"
444 restorecon -F -R -v /var/smbd
445
446 Allow smbd servers to read and write /var/smbd/incoming by adding the
447 public_content_rw_t type to the directory and by restoring the file
448 type. You also need to turn on the smbd_anon_write boolean.
449
450 semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?"
451 restorecon -F -R -v /var/smbd/incoming
452 setsebool -P smbd_anon_write 1
453
454
455 If you want to allow samba to modify public files used for public file
456 transfer services. Files/Directories must be labeled public_con‐
457 tent_rw_t., you must turn on the smbd_anon_write boolean.
458
459 setsebool -P smbd_anon_write 1
460
461
463 semanage fcontext can also be used to manipulate default file context
464 mappings.
465
466 semanage permissive can also be used to manipulate whether or not a
467 process type is permissive.
468
469 semanage module can also be used to enable/disable/install/remove pol‐
470 icy modules.
471
472 semanage port can also be used to manipulate the port definitions
473
474 semanage boolean can also be used to manipulate the booleans
475
476
477 system-config-selinux is a GUI tool available to customize SELinux pol‐
478 icy settings.
479
480
482 This manual page was auto-generated using sepolicy manpage .
483
484
486 selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
487 setsebool(8)
488
489
490
491smbd 23-12-15 smbd_selinux(8)