安全機制

1. 查詢 smbd ports

   [root@kvm8 ~]# netstat -tlunp | grep smb
   tcp     0     0     :::139       :::*      LISTEN      1727/smbd           
   tcp     0     0     :::445       :::*      LISTEN      1727/smbd
   

2. 防火牆設定

   [root@kvm8 ~]# vim /etc/sysconfig/iptables
   ######################################################
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
   ######################################################
   

3. 防火牆重新啟動

   [root@kvm8 ~]# /etc/init.d/iptables restart
   

4. 開機啟動防火牆

   [root@kvm8 ~]# chkconfig iptables on
   

5. 查詢 samba 相關的 selinux types

   [root@kvm8 ~]# seinfo -t | grep samba
      samba_secrets_t
      samba_unconfined_script_exec_t
      samba_net_t
      samba_var_t
      samba_net_exec_t
      samba_net_tmp_t
      samba_unconfined_net_t
      samba_unconfined_script_t
      sambagui_exec_t
      samba_share_t
      samba_initrc_exec_t
      sambagui_t
      samba_etc_t
      samba_log_t
   

6. 設定分享目錄的 selinux type

   [root@kvm8 ~]# chcon -R -t samba_share_t /public
   [root@kvm8 ~]# ls -ldZ /public
   drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /public
   

7. selinux boolean 值

   [root@kvm8 ~]# getsebool -a | grep smb
   allow_smbd_anon_write --> off
   [root@kvm8 ~]# getsebool -a | grep samba
   samba_create_home_dirs --> off
   samba_domain_controller --> off
   samba_enable_home_dirs --> off
   samba_export_all_ro --> off
   samba_export_all_rw --> off
   samba_run_unconfined --> off
   samba_share_fusefs --> off
   samba_share_nfs --> off
   use_samba_home_dirs --> off
   virt_use_samba --> off
   

8. 設定 selinux boolean

   [root@kvm8 ~]# setsebool -P samba_export_all_ro on