当我们在与linux中交换文件的时候，内网之间一般是用samba这个服务来实现，那我们也会遇到或多或少的阻碍，比如不能访问了，没权限啊，selinux 的问题等等。这次说一下selinux，我们总不能把selinux关掉吧，毕竟找出根本原因是最好方法，也能学习知识不是麽。

我共享了根目录下的backup文件夹，里面放的是系统自动备份的资料，selinux为强制状态，当我访问samba时，能进入到samba列表，但是打不开smb这个共享的文件夹，提示“找不到网络路径”。好，检查服务器日志：

May 25 08:53:33 rhel smbd[3364]:   ‘/backup’ does not exist or permission denied when connecting to [smb] Error was 权限不够

接着下面：

May 25 08:47:46 rhel setroubleshoot: SELinux is preventing samba (smbd) “search” to ./backup (default_t). For complete SELinux messages. run sealert -l 65266ca9-18cb-49e1-8c83-d8a8f9dedf0a

提示我们执行红色部分语句查看具体错误信息。

[root@rhel ~]# sealert -l 65266ca9-18cb-49e1-8c83-d8a8f9dedf0a

摘要:

SELinux is preventing samba (smbd) “search” to ./backup (default_t).

详细的描述:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied samba access to ./backup. If you want to share this directory
with samba it has to have a file context label of samba_share_t. If you did not
intend to use ./backup as a samba repository it could indicate either a bug or
it could signal a intrusion attempt.

正在允许访问:

You can alter the file context by executing chcon -R -t samba_share_t ‘./backup’
You must also change the default file context files on the system in order to
preserve them even on a full relabel. “semanage fcontext -a -t samba_share_t
‘./backup'”

以下命令将允许这个权限:

chcon -R -t samba_share_t ‘./backup’

附加的信息:

源上下文                  root:system_r:smbd_t
目标上下文               root:object_r:default_t
目标对象                  ./backup [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <未知的>
Host                          rhel
Source RPM Packages           samba-3.0.33-3.28.el5
Target RPM Packages
策略 RPM                    selinux-policy-2.4.6-279.el5
Selinux 激活                True
策略类型                  targeted
MLS 激活                    True
强制模式                  Permissive
插件名称                  samba_share
主机名                     rhel
平台                        Linux rhel 2.6.18-194.el5 #1 SMP Tue Mar 16
                              21:52:39 EDT 2010 x86_64 x86_64
警告记数                  3
First Seen                    Wed May 11 11:33:14 2011
Last Seen                     Wed May 25 08:47:44 2011
Local ID                      65266ca9-18cb-49e1-8c83-d8a8f9dedf0a
行数

原始 Audit 消息

host=rhel type=AVC msg=audit(1306284464.893:47): avc:  denied  { search } for  pid=3590 comm=”smbd” name=”backup” dev=sda1 ino=2505890 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir

host=rhel type=SYSCALL msg=audit(1306284464.893:47): arch=c000003e syscall=80 success=yes exit=0 a0=2ad998a50580 a1=2ad998a50580 a2=2ad994ffdb90 a3=ea items=0 ppid=3584 pid=3590 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=”smbd” exe=”/usr/sbin/smbd” subj=root:system_r:smbd_t:s0 key=(null)

好多废话，那么主要的还是smb安全上下文的原因，在此，我知道samba的安全上下文是：samba_share_t (我为什么知道？学的呗）

[root@rhel ~]# chcon -R -t samba_share_t /backup/

再次访问，ok了~