Fixing Random Samba Share Lockouts Part 2 w/Docker

Continuation of my previous post about fixing random Samba Share lockouts. I discovered that Docker and Samba were fighting to gain access to the folders. If I set the label to samba_share_t, then Docker loses access. If I allow Docker (with “Z” option while running container), then Docker resets the label to “svirt_sandbox_file_t”. How can I make both use it? Turns out there is a solution. Credit to this Serverfault post: https://serverfault.com/a/881098/449814

Create a new SELinux Policy Module to allow Samba to access the Docker label.

# cat >samba_docker_policy.te<<EOF
module samba_docker_policy 1.0;
require {
type smbd_t;
type svirt_sandbox_file_t;
class dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open };
class lnk_file { ioctl read write create getattr setattr lock append unlink link rename };
class file { ioctl read write create getattr setattr lock append unlink link rename open };
class filesystem { getattr quotaget };
class fifo_file { ioctl read write create getattr setattr lock append unlink link rename open };
class sock_file { ioctl read write create getattr setattr lock append unlink link rename open };
}

#============= svirt_sandbox_file_t ==============

allow smbd_t svirt_sandbox_file_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow smbd_t svirt_sandbox_file_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow smbd_t svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow smbd_t svirt_sandbox_file_t : filesystem { getattr quotaget } ;
allow smbd_t svirt_sandbox_file_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow smbd_t svirt_sandbox_file_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
EOF
# checkmodule -M -m -o samba_docker_policy.mod samba_docker_policy.te
# semodule_package -o samba_docker_policy.pp -m samba_docker_policy.mod
# semodule -i samba_docker_policy.pp

Then start the Docker container with Volumes mounted using “Z” option. You should now be good to go with both Samba and Docker living together happily ever after…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.