The status of the Selinux boolean values that are relevant to Samba can be queried via the following command:
#getsebool -a | grep samba
#getsebool -a | grep smbd
Since we need to allow samba to modify shared files, the files/directories must be labeled public_content_rw_t and we must turn on the smbd_anon_write boolean.
- Labeling all files under the share folder (e.g. /mnt/media) to public_content_rw_t so that they can be modified by multiple domains (Apache, FTP, rsync, Samba).
#semanage fcontext -a -t public_content_rw_t "/mnt/media(/.*)?"
#restorecon -F -R /mnt/media
Note: File context can be temporarily modified with the chcon command. However, that won't survive a relabeling. We need to permanently change the file context by using the semanage fcontext command. This will modify the SELinux labeling database. It is necessary to use restorecon to apply the labels.
- Turn on the smbd_anon_write boolean:
#setsebool -P smbd_anon_write 1
- It's NOT necessary to turn on samba_export_all_rw if the shared files/directories are properly labeled and the smbd_anon_write boolean is turned on.
- The security context of the files can be verified via
# ls -Z /mnt/media
drwxrwxr-x. video media system_u:object_r:public_content_rw_t:s0 video