I had a little problem when i setup a samba sharing between my fedora system and a vm. I had always the “permission denied” message. It was related to selinux but it didn’t occur to me at first. So here you will find my debugging :)

First my samba share configuration :

[adejoux]
     path = /home/adejoux
     read only = no
     browseable = yes
     public = no
     force user = adejoux
     create mask = 0777
     directory mask = 0777

It’s a very simple one.

mounting the cifs filesystem is working :

# mount -t cifs -o username=adejoux,workgroup=WORKGROUP //192.168.122.1/adejoux /mnt2
Password for adejoux@//192.168.122.1/adejoux: ********

But i was unable to see the content of directory.

[root]# ls /mnt2
ls: reading directory /mnt2: Permission denied

The permissions was right :

ls -ld /mnt2
drwx--x---. 90 adejoux adejoux 0 Jul 21 11:30 /mnt2

I increased log level in /etc/samba/smb.conf in global section :

log level = 2

Nothing really interesting in logs. Authentication was working :

check_ntlm_password: authentication for user [adejoux] -> [adejoux] -> [adejoux] succeeded

After googling it, it seemed related to selinux.

selinux was enabled :

sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29

It was very tenting to disable it : ) But the best solution was to install setroubleshoot.

It’s analyzing the messages in /var/log/audit/audit.log and give very good instruction on how to resolve the problem :

SELinux is preventing /usr/sbin/smbd from getattr access on the file .

***** Plugin catchall_boolean (47.5 confidence) suggests ******************

If you want to allow samba to share any file/directory read only.
Then you must tell SELinux about this by enabling the 'samba_export_all_ro' boolean.
You can read 'user_selinux' man page for more details.
Do
setsebool -P samba_export_all_ro 1

***** Plugin catchall_boolean (47.5 confidence) suggests ******************

If you want to allow samba to share any file/directory read/write.
Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.
You can read 'user_selinux' man page for more details.
Do
setsebool -P samba_export_all_rw 1

It’s really impressive. And solved the problem.

I wanted to share a home directory, so i used the one listed in the original smb.conf file :)

setsebool -P samba_enable_home_dirs on

Keeping a small conf file without any comments was not a so brilliant idea here. The original smb.conf file describes the needed selinux configuration. But it allowed me to dwell on selinux and play with setroubleshoot so it’s not so bad :)