I had a little problem when i setup a samba sharing between my fedora system and a vm. I had always the “permission denied” message. It was related to selinux but it didn’t occur to me at first. So here you will find my debugging :)
First my samba share configuration :
[adejoux] path = /home/adejoux read only = no browseable = yes public = no force user = adejoux create mask = 0777 directory mask = 0777
It’s a very simple one.
mounting the cifs filesystem is working :
# mount -t cifs -o username=adejoux,workgroup=WORKGROUP //192.168.122.1/adejoux /mnt2 Password for adejoux@//192.168.122.1/adejoux: ********
But i was unable to see the content of directory.
[root]# ls /mnt2 ls: reading directory /mnt2: Permission denied
The permissions was right :
ls -ld /mnt2 drwx--x---. 90 adejoux adejoux 0 Jul 21 11:30 /mnt2
I increased log level in /etc/samba/smb.conf in global section :
log level = 2
Nothing really interesting in logs. Authentication was working :
check_ntlm_password: authentication for user [adejoux] -> [adejoux] -> [adejoux] succeeded
After googling it, it seemed related to selinux.
selinux was enabled :
sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
It was very tenting to disable it : ) But the best solution was to install setroubleshoot.
It’s analyzing the messages in /var/log/audit/audit.log and give very good instruction on how to resolve the problem :
SELinux is preventing /usr/sbin/smbd from getattr access on the file . ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow samba to share any file/directory read only. Then you must tell SELinux about this by enabling the 'samba_export_all_ro' boolean. You can read 'user_selinux' man page for more details. Do setsebool -P samba_export_all_ro 1 ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow samba to share any file/directory read/write. Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean. You can read 'user_selinux' man page for more details. Do setsebool -P samba_export_all_rw 1
It’s really impressive. And solved the problem.
I wanted to share a home directory, so i used the one listed in the original smb.conf file :)
setsebool -P samba_enable_home_dirs on
Keeping a small conf file without any comments was not a so brilliant idea here. The original smb.conf file describes the needed selinux configuration. But it allowed me to dwell on selinux and play with setroubleshoot so it’s not so bad :)