Can't samba share root of nginx

KermitXYZ · November 26, 2025, 8:00pm

Opensuse Leap 16.0 running nginx from the repository. I wish to share the root of nginx ( /srv/www/htdocs ) via Samba.

I create the samba share as per normal in smb.conf. The rights over the shared directory are as follows:


drwxr-xr-x. 1 root root 12 Nov 26 13:00 .
dr-xr-xr-x. 1 root root 28 Nov 26 13:00 ..
drwxrwxrwx. 1 rmp  root 42 Nov 26 19:54 htdocs

When I SSH into the server, the use rmp can create/delete in that folder fine. However, on the other machine (where the share is mounted) the user cannot create nor delete. From here if I run “ls” in the directory into which the share in mounted, I get

ls: reading directory '.': Permission denied

Other shares are working fine, it’s just this one which isn’t. A rights issue? But I can’t see what’s missing. Or if it something particular to do with that location? Any ideas please?

arvidjaar · November 27, 2025, 4:17am

SELinux. Show

ausearch -m avc -ts boot

KermitXYZ · November 27, 2025, 1:49pm

I presume you mean on the server side? If so,

(I can’t post the whole output as it is too large apparently, let me know if you need more)

time->Wed Nov 26 20:17:16 2025
type=AVC msg=audit(1764188236.947:2045): avc:  denied  { read } for  pid=3820 comm="smbd[192.168.12" name="htdocs" dev="sda2" ino=260 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0
----

arvidjaar · November 27, 2025, 5:39pm

As should be obvious, the access is prohibited by SELinux policy.

bor@leap16:~> sesearch -A -s smbd_t -t httpd_sys_content_t -c dir
allow daemon httpd_sys_content_t:dir { getattr open search };
allow smbd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ samba_export_all_rw ]:True
allow smbd_t non_security_file_type:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_export_all_rw ]:True
allow smbd_t non_security_file_type:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_export_all_rw ]:True
allow smbd_t non_security_file_type:dir { getattr ioctl lock open read search }; [ samba_export_all_ro ]:True
allow smbd_t non_security_file_type:dir { getattr open search }; [ samba_export_all_ro ]:True
allow smbd_t non_security_file_type:dir { getattr open search }; [ samba_export_all_ro ]:True
allow smbd_t non_security_file_type:dir { getattr open search }; [ samba_export_all_ro ]:True
bor@leap16:~>

Try enabling samba_export_all_ro:

setsebool samba_export_all_ro true

and if it works set it permanently

setsebool -P ...

read man setsebool

KermitXYZ · November 27, 2025, 7:37pm

Having run that command, I am able to view to contents of the mounted directory with both Dolphin and the ls command correctly.

However, I am still not able to write to the directory from the client machine. The output from the previous command is now:


time->Thu Nov 27 19:34:41 2025
type=AVC msg=audit(1764272081.885:2961): avc:  denied  { write } for  pid=14053 comm="smbd[192.168.12" name="htdocs" dev="sda2" ino=260 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0

So I issued the command:

setsebool samba_export_all_rw true

And I now have read and write permissions. Thank you for your help

One question though - why does this setting affect this directory and not the others? I have read the man but it is very brief.

arvidjaar · November 28, 2025, 3:55am

Because that is how the policy is written.

KermitXYZ · November 28, 2025, 8:28pm

SELinux is new to me and another thing to learn.

The main configuration file is /etc/selinux/config, where policies are specified.

There are only two active lines in this file:

SELINUX=enforcing
SELINUXTYPE=targeted

How can one actually read and edit the policies themselves?

arvidjaar · November 29, 2025, 6:27am