cat /dev/brain

SELinux and Samba on Fedora 25 Server

After setting up a home server running Fedora 25, we wanted to use it's large amounts of storage for images and such. Naturally, we reached for Samba to enable network file storage. We installed and configured it, but neither from macOS, nor from Linux could access files after mounting the share.

For reference, our smb.conf had this:

[media_storage]
    public = yes
    comment = Family Media Storage
    path = /path/to/media_storage
    browsable = yes
    writable = yes
    guest ok = no
    read only = no
    valid users = @mediausers

All users had the appropriate groups and passwords in tdbsam and on Linux the /etc/fstab entry looked like:

//10.0.1.201/media_storage  /mnt/media_storage  cifs  \
username=sigmavirus24,uid=sigmavirus24,gid=users,rw 0 0

So doing mount /mnt/media_storage would work (after entering my password) but then I couldn't actually list the contents.

$ ls /mnt/media_storage
ls: reading directory '/mnt/watson': Permission denied

So I spent some serious time on Google and finally found this useful guide to determining what the problem was. I worked through it in order:

$ systemctl stop firewalld

However, I still couldn't list anything after mounting the share. So I re-enabled that and turned off SELinux:

$ setenforce 0

Finally I was able to read and create files there! So I looked up some more and found an article suggesting using to do:

$ setsebool -P allow_mount_anyfile 1

Before I did that though, I did this:

$ getsebool allow_mount_anyfile
mount_anyfile --> on

So that wasn't the issue, next I did

$ getsebool -a | egrep '(samba|nfs)'

And found samba_export_all_ro --> off and samba_export_all_rw --> off, so I took a guess and ran

$ setsebool -P samba_export_all_rw 1

After that I re-enabled SELinux (setenforce 1), mounted the share and then et voilà!