Provided by: selinux-policy-doc_2.20110726-3_all bug


       samba_selinux - Security Enhanced Linux Policy for Samba


       Security-Enhanced Linux secures the Samba server via flexible mandatory access control.


       SELinux  requires  files  to  have  an extended attribute to define the file type.  Policy
       governs the access daemons have to these files.  If you want to  share  files  other  than
       home  directories, those files must be labeled samba_share_t.  So if you created a special
       directory /var/eng, you would need to label the directory with the chcon tool.

       chcon -t samba_share_t /var/eng

       To make this change permanent (survive a relabel), use the semanage  command  to  add  the
       change to file context configuration:

       semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"

       This          command          adds         the         following         entry         to

       /var/eng(/.*)? system_u:object_r:samba_share_t:s0

       Run the restorecon command to apply the changes:

       restorecon -R -v /var/eng/


       If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can  set
       a  file  context  of public_content_t and public_content_rw_t.  These context allow any of
       the above domains to read the content.  If you want a particular domain to  write  to  the
       public_content_rw_t     domain,     you     must     set    the    appropriate    boolean.
       allow_DOMAIN_anon_write.  So for samba you would execute:

       setsebool -P allow_smbd_anon_write=1


       SELinux policy is customizable based on least access  required.   So  by  default  SELinux
       policy  turns  off  SELinux sharing of home directories and the use of Samba shares from a
       remote machine as a home directory.

       If you are setting up this  machine  as  a  Samba  server  and  wish  to  share  the  home
       directories, you need to set the samba_enable_home_dirs boolean.

              setsebool -P samba_enable_home_dirs 1

       If  you  want  to  use a remote Samba server for the home directories on this machine, you
       must set the use_samba_home_dirs boolean.

              setsebool -P use_samba_home_dirs 1

       system-config-selinux is a GUI tool available to customize SELinux policy settings.


       This manual page was written by Dan Walsh <>.


       selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)