How do I get SELinux to allow Apache and Samba on the same folder?

In the configuration I have setup I wish to allow samba and apache to access /var/www I am able to set a context to allow samba access, but then httpd doesn't have access. Using setenforce to 0 eliminates issues so I know that it is SELinux.

In addition: How can I view the context of a folder, and can a folder have multiple contexts?

(CentOS)


First off, you can view the context of something with ls using ls -Z

[root@servername www]# ls -dZ /var/www
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t /var/www

Second, there are two options for giving Samba and Apache access to the same directory.

The simple way is to just allow samba read/write access everywhere with:

setsebool -P samba_export_all_rw 1

It's simple, easy, and doesn't mess with any weird properties of SELinux.

If you're concerned with Samba having full access to all directories and only want to change /var/www, try:

chcon -t public_content_rw_t /var/www
setsebool -P allow_smbd_anon_write 1
setsebool -P allow_httpd_anon_write 1

This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:

chcon -R -t public_content_rw_t /var/www

You can look through this CentOS wiki page to get hints on other SELinux booleans.


SHARING FILES
   If you want to share files with multiple domains (Apache,  FTP,  rsync,
   Samba),  you can set a file context of public_content_t and public_content_rw_t.
   These context allow any of the above domains  to  read  the
   content.   If  you want a particular domain to write to the public_con‐
   tent_rw_t   domain,   you   must   set   the    appropriate    boolean.
   allow_DOMAIN_anon_write.  So for samba you would execute:

       setsebool -P allow_smbd_anon_write=1
  • http://fedoraproject.org/wiki/SELinux/samba

For example:

semanage fcontext -a -t public_content_rw_t '/var/www(/.*)?'
restorecon -R /var/www
setsebool -P allow_smbd_anon_write 1