In the configuration I have setup I wish to allow samba and apache to access /var/www I am able to set a context to allow samba access, but then httpd doesn't have access. Using setenforce to 0 eliminates issues so I know that it is SELinux.
In addition: How can I view the context of a folder, and can a folder have multiple contexts?
(CentOS)
First off, you can view the context of something with ls using ls -Z
Second, there are two options for giving Samba and Apache access to the same directory.
The simple way is to just allow samba read/write access everywhere with:
It's simple, easy, and doesn't mess with any weird properties of SELinux.
If you're concerned with Samba having full access to all directories and only want to change /var/www, try:
This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:
You can look through this CentOS wiki page to get hints on other SELinux booleans.
For example:
For Red Hat Linux:
Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-the_apache_http_server-configuration_examples
13.4.2. Sharing NFS and CIFS volumes By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the nfs_t type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the cifs_t type. Depending on policy configuration, services may not be able to read files labeled with the nfs_t or cifs_t types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be enabled or disabled to control which services are allowed to access the nfs_t and cifs_t types. Enable the httpd_use_nfs Boolean to allow httpd to access and share NFS volumes (labeled with the nfs_t type):
Enable the httpd_use_cifs Boolean to allow httpd to access and share CIFS volumes (labeled with the cifs_t type):
Note
Do not use the -P option if you do not want setsebool changes to persist across reboots.
.................... NOTE: To view the current seLinux context settings for a directory (in the below example /shares/ directory):
You can exclude the -d to view the context of the files and folders under the directory:
.........................
Labeling /shares/ with the public_content_t type allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Enter the following command as root to add the label change to file-context configuration:
Use the restorecon utility as root to apply the label changes:
NOTE: For me, I wasn't sure what the restorecon command was for and hadn't run it initially and was wondering why the semanage command changes didn't get applied after I ran it. The reference article states that the restorecon command applies the context changes from the semanage command.
After applying the changes, you can view the context settings by running: