Opensuse Leap 16.0 running nginx from the repository. I wish to share the root of nginx ( /srv/www/htdocs ) via Samba.
I create the samba share as per normal in smb.conf. The rights over the shared directory are as follows:
drwxr-xr-x. 1 root root 12 Nov 26 13:00 .
dr-xr-xr-x. 1 root root 28 Nov 26 13:00 ..
drwxrwxrwx. 1 rmp root 42 Nov 26 19:54 htdocs
When I SSH into the server, the use rmp can create/delete in that folder fine. However, on the other machine (where the share is mounted) the user cannot create nor delete. From here if I run “ls” in the directory into which the share in mounted, I get
ls: reading directory '.': Permission denied
Other shares are working fine, it’s just this one which isn’t. A rights issue? But I can’t see what’s missing. Or if it something particular to do with that location? Any ideas please?
I presume you mean on the server side? If so,
(I can’t post the whole output as it is too large apparently, let me know if you need more)
time->Wed Nov 26 20:17:16 2025
type=AVC msg=audit(1764188236.947:2045): avc: denied { read } for pid=3820 comm="smbd[192.168.12" name="htdocs" dev="sda2" ino=260 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0
----
As should be obvious, the access is prohibited by SELinux policy.
bor@leap16:~> sesearch -A -s smbd_t -t httpd_sys_content_t -c dir
allow daemon httpd_sys_content_t:dir { getattr open search };
allow smbd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ samba_export_all_rw ]:True
allow smbd_t non_security_file_type:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_export_all_rw ]:True
allow smbd_t non_security_file_type:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_export_all_rw ]:True
allow smbd_t non_security_file_type:dir { getattr ioctl lock open read search }; [ samba_export_all_ro ]:True
allow smbd_t non_security_file_type:dir { getattr open search }; [ samba_export_all_ro ]:True
allow smbd_t non_security_file_type:dir { getattr open search }; [ samba_export_all_ro ]:True
allow smbd_t non_security_file_type:dir { getattr open search }; [ samba_export_all_ro ]:True
bor@leap16:~>
Try enabling samba_export_all_ro:
setsebool samba_export_all_ro true
and if it works set it permanently
setsebool -P ...
read man setsebool
Having run that command, I am able to view to contents of the mounted directory with both Dolphin and the ls command correctly.
However, I am still not able to write to the directory from the client machine. The output from the previous command is now:
time->Thu Nov 27 19:34:41 2025
type=AVC msg=audit(1764272081.885:2961): avc: denied { write } for pid=14053 comm="smbd[192.168.12" name="htdocs" dev="sda2" ino=260 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0
So I issued the command:
setsebool samba_export_all_rw true
And I now have read and write permissions. Thank you for your help
One question though - why does this setting affect this directory and not the others? I have read the man but it is very brief.
Because that is how the policy is written.
SELinux is new to me and another thing to learn.
The main configuration file is /etc/selinux/config, where policies are specified.
There are only two active lines in this file:
SELINUX=enforcing
SELINUXTYPE=targeted
How can one actually read and edit the policies themselves?
system
December 29, 2025, 6:28am
9
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
