Share Folders Between Podman Containers and Samba with SELinux

When SELinux is set on enforcing (recommended and standard) you might wonder why SELinux blocks your containers and Samba (SMB) from accessing the same folder. Here's the issue: SELinux assigns a context label to each folder, controlling which processes can access it.
- For containers, SELinux uses a label called
container_t
. - For Samba (SMB), it uses a label called
samba_share_t
.
This can drive you crazy, because it might seem like you can access a folder one moment, and then suddenly you can't. That's SELinux in action!
The Fix
In this tutorial, we'll create and install a new SELinux module that allows the container_t
label (used by your containers) to access folders with the samba_share_t
label (used by Samba).
We'll focus on folders located under /mnt
.
Step 1: Create the SELinux Module Specification File
First, we need to write the rules that allow this behavior.
- Create the SELinux module specification file (
podman-samba.te
): Open your text editor (Nano, in this case) to create a new file.
sudo nano podman-samba.te
- Add Your Specification: Copy and paste the following code into the file.
This module will allow containers to read, write, create, and manage files within directories labeled for Samba sharing.
module podman-samba 1.0;
require {
type container_t;
type samba_share_t;
type mnt_t;
class dir { read write setattr getattr create rename open add_name rmdir remove_name lock watch };
class file { read write setattr getattr create rename open lock unlink append };
}
#============= container_t ==============
# Allow container_t access to samba_share_t labeled directories and files
allow container_t samba_share_t:dir { read write setattr getattr create rename open add_name rmdir remove_name lock watch };
allow container_t samba_share_t:file { read write setattr getattr create rename open lock unlink append };
# Allow container_t access to mnt_t labeled directories and files under /mnt folders
allow container_t mnt_t:dir { read write getattr open add_name remove_name setattr lock watch create rename rmdir };
allow container_t mnt_t:file { read write getattr open lock unlink append create rename setattr };
Step 2: Compile and Install the Module
Next, we need to compile and load the module into SELinux.
- Compile the SELinux module:
sudo checkmodule -M -m -o podman-samba.mod podman-samba.te
- Create the package:
sudo semodule_package -m podman-samba.mod -o podman-samba.pp
- Load the SELinux module:
sudo semodule -i podman-samba.pp
Step 3: Set the Samba Context
Finally, we need to make sure your folder has the right Samba context.
- Set the Samba context for your folder:In this case, I'm setting the context for
/var/mnt/media
. Replace this with your own folder.
sudo chcon -R -t samba_share_t /var/mnt/media
- Ensure the Samba context is persistent:We want to make sure that the context stays applied even after a reboot.
sudo semanage fcontext -a -t samba_share_t "/var/mnt/media(/.*)?"
- Applies the correct SELinux labels to the files and directories: As defined by the SELinux file context rules. It ensures that the labels set by the
semanage fcontext
command are applied.
sudo restorecon -Rv /var/mnt/media
Now your containers and Samba should be able to access the same folder without any further SELinux issues!
Remember, this is a one-thing fix. If you're managing more complex setups, consider using Udica for better management.