When setting up shared web hosting environments on CentOS, administrators often need both Apache (httpd) and Samba to access the same directory - typically /var/www. SELinux enforces strict security contexts, causing permission conflicts when multiple services require access to the same resources.
First, verify the existing SELinux context of your target directory:
ls -Z /var/www # Sample output: # drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www
Samba requires specific context types for proper operation. The most common approaches:
# Option 1: samba_share_t (dedicated Samba sharing) chcon -t samba_share_t /var/www # Option 2: public_content_t (read-only sharing) chcon -t public_content_t /var/www # Option 3: public_content_rw_t (read-write sharing) chcon -t public_content_rw_t /var/www
For simultaneous Apache/Samba access, we'll use public_content_rw_t with proper boolean adjustments:
# Set the context type semanage fcontext -a -t public_content_rw_t "/var/www(/.*)?" restorecon -R -v /var/www # Enable Samba to write to this context setsebool -P smbd_anon_write=1 # Allow Apache to access Samba-shared files setsebool -P httpd_use_samba=1
After implementation, verify the configuration:
# Check context ls -Z /var/www # Test Apache access curl -I http://localhost/ # Test Samba access from client smbclient //server/share -U user
To make these changes persistent across reboots:
# Create local policy module cat > mysamba.te <
When configuring both Apache (httpd) and Samba to access
/var/wwwon CentOS, SELinux context conflicts often arise. By default, these services require different security contexts:# Default contexts: ls -Zd /var/www drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www # Samba needs: chcon -t samba_share_t /var/wwwTo verify current contexts and troubleshoot:
# Check current context ls -Z /var/www # View denied accesses grep httpd /var/log/audit/audit.log | audit2why grep smbd /var/log/audit/audit.log | audit2whyThe most maintainable approach is using SELinux booleans:
# Allow httpd to access samba shares setsebool -P httpd_use_samba on # Allow samba to export http content setsebool -P samba_export_all_ro onFor complex scenarios, create a custom policy:
# Generate policy from audit logs grep avc /var/log/audit/audit.log | audit2allow -M mypolicy # Install the module semodule -i mypolicy.pp # Verify semodule -l | grep mypolicyFor new files to inherit proper contexts:
# Set default context for future files semanage fcontext -a -t httpd_sys_rw_content_t "/var/www(/.*)?" # Apply immediately restorecon -R -v /var/www# Check boolean status getsebool httpd_use_samba samba_export_all_ro # Test file operations from both services touch /var/www/testfile ls -Z /var/www/testfile