How do I get SELinux to allow Apache and Samba on the same folder?

Solution 1:

First off, you can view the context of something with ls using ls -Z

[root@servername www]# ls -dZ /var/www
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t /var/www

Second, there are two options for giving Samba and Apache access to the same directory.

The simple way is to just allow samba read/write access everywhere with:

setsebool -P samba_export_all_rw 1

It's simple, easy, and doesn't mess with any weird properties of SELinux.

If you're concerned with Samba having full access to all directories and only want to change /var/www, try:

chcon -t public_content_rw_t /var/www
setsebool -P allow_smbd_anon_write 1
setsebool -P allow_httpd_anon_write 1

This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:

chcon -R -t public_content_rw_t /var/www

You can look through this CentOS wiki page to get hints on other SELinux booleans.

Solution 2:

SHARING FILES
   If you want to share files with multiple domains (Apache,  FTP,  rsync,
   Samba),  you can set a file context of public_content_t and public_content_rw_t.
   These context allow any of the above domains  to  read  the
   content.   If  you want a particular domain to write to the public_con‐
   tent_rw_t   domain,   you   must   set   the    appropriate    boolean.
   allow_DOMAIN_anon_write.  So for samba you would execute:

       setsebool -P allow_smbd_anon_write=1

• http://fedoraproject.org/wiki/SELinux/samba

For example:

semanage fcontext -a -t public_content_rw_t '/var/www(/.*)?'
restorecon -R /var/www
setsebool -P allow_smbd_anon_write 1