When starting the samba server on a SELinux enabled system, it will go through all shares and re-labels the files and folders there.

Which is a good thing, but be warned, it can take loooong. Took my NAS 3 full hours to re-label all of them. I even needed to manually increase the timeout for the systemd services.

Subsequent service starts are however not affected.

@phoenix Really? Sounds more like a (mis?)feature of your NAS.

@rw how so? It needs to apply the SELinux rules for all files individually, so I'd assume this can (and will) take some time ...
Even relabelling the root filesystem of a fresh installation takes several minutes to complete 🤔

One can argue though if the service should relabel the shares ... Given that under production workloads the default timeout likely is not enough anyways 🤔

@phoenix How can samba khow what the right security contexts are? Especially when exporting something non-trivial.
To me this solution feels more like a "Just make it work" approach.

@rw From what I can see it just adds the samba_share_t context to all files/folders. This is similar to almost all other programs when using the "targeted" SELinux policy.

Now, how would that work in non-trivial cases, e.g. when files need to be shared by samba and by netatalk (or ftp)? Not. I'm still puzzling about that ... and that's the reason I'm still in permissive and not enforcing mode.

If you have a good idea how to approach this, let us know 🙂

@phoenix I'm not against having samba_share_t. I'm against applying the context automatically. Only the sysadmin should trigger this for folders he really wants to share.

@rw Personally I'm also open to the argument that users would expect "this to just work". And I can see that automatically applying the context is probably the only way this can be achieved.

Yeah, it's difficult.