Description of problem access denied for samba due to selinux Version-Release number of selected component (if applicable): rpm -qa | grep selinux selinux-policy-2.4.6-7.fc6 libselinux-python-1.33.2-3.fc6 selinux-policy-targeted-2.4.6-7.fc6 libselinux-1.33.2-3.fc6 samba config: [global] dos charset = CP866 unix charset = LOCALE workgroup = NFCZN netbios name = FEDORA server string = Samba Server security = SHARE log file = /var/log/samba/%m.log max log size = 50 time server = Yes dns proxy = No hosts allow = 10.17.185., 127. cups options = raw [backup] comment = Каталог для резервных копий path = /var/shares/backup force user = zebar read only = No guest ok = Yes What's happened: access denied to share Workaround: in /etc/sysconfig/selinux I wrote SELINUX=permissive and reboot Now a lot of messages in the syslog: Dec 15 19:34:13 mail kernel: audit(1166200453.620:12): avc: denied { read } for pid=2225 comm="smbd" name="backup" dev=hda6 ino=1080290 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir Dec 15 19:34:13 mail kernel: audit(1166200453.623:13): avc: denied { write } for pid=2225 comm="smbd" name="backup" dev=hda6 ino=1080290 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir Dec 15 19:34:13 mail kernel: audit(1166200453.623:14): avc: denied { add_name } for pid=2225 comm="smbd" name=D09DD0BED0B2D0B0D18F20D0BFD0B0D0BFD0BAD0B0 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir Dec 15 19:34:13 mail kernel: audit(1166200453.623:15): avc: denied { create } for pid=2225 comm="smbd" name=D09DD0BED0B2D0B0D18F20D0BFD0B0D0BFD0BAD0B0 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir
chcon -R -t samba_share_t /var/backup man samba_selinux If you were using setroubleshoot it would have told you something like the following. Summary SELinux is preventing samba (smbd) "read" to backup (var_t). Detailed Description SELinux denied samba access to backup. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use backup as a samba repository it could indicate either a bug or it could signal a intrusion attempt. Allowing Access You can alter the file context by executing chcon -R -t samba_share_t backup The following command will allow this access: chcon -R -t samba_share_t backup Additional Information Source Context root:system_r:smbd_t Target Context root:object_r:var_t Target Objects backup [ dir ] Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled Enforcing Mode Plugin Name plugins.samba_share Host Name Platform Alert Count 1 Line Numbers 1 Raw Audit Messages avc: denied { read } for comm="smbd" dev=hda6 name="backup" pid=2225 scontext=root:system_r:smbd_t:s0 tclass=dir tcontext=root:object_r:var_t:s0