How to make Samba 4 shares writable with Fedora 19 and Selinux

Today I found I couldn't create new folders in my samba 4 share under Fedora 19. And this was due to the settings of Selinux since there wasn't any problem without enabling Selinux.

The status of the Selinux boolean values that are relevant to Samba can be queried via the following command:

#getsebool -a | grep samba
#getsebool -a | grep smbd
Since we need to allow samba to modify shared files, the files/directories must be labeled public_content_rw_t and we must turn on the smbd_anon_write boolean.

• Labeling all files under the share folder (e.g. /mnt/media) to public_content_rw_t so that they can be modified by multiple domains (Apache, FTP, rsync, Samba).


#semanage fcontext -a -t public_content_rw_t "/mnt/media(/.*)?"
#restorecon -F -R /mnt/media
Note: File context can be temporarily modified with the chcon command. However, that won't survive a relabeling. We need to permanently change the file context by using the semanage fcontext command. This will modify the SELinux labeling database. It is necessary to use restorecon to apply the labels.

• Turn on the smbd_anon_write boolean:


#setsebool -P smbd_anon_write 1

• It's NOT necessary to turn on samba_export_all_rw if the shared files/directories are properly labeled and the smbd_anon_write boolean is turned on.
• The security context of the files can be verified via
  # ls -Z /mnt/media
drwxrwxr-x. video media system_u:object_r:public_content_rw_t:s0 video