Mounting CIFS shares at login with SELinux enabled

David — Sat, 17 May 2008 02:36:57 +0000

SELinux is as painful to use sometimes as it is powerful when it comes to locking down server permissions. Unfortunately even with distributions such as Red Hat which supports SELinux out of the box, you will still experience problems.

One such issue I came across recently was automounting CIFS shares on boot using netfs. At startup the netfs service was returning an "error 13 - error opening credentials file" when attempting to mount the CIFS shares. The problem was the SELinux was not allowing the netfs script to access the file that contained the CIFS authorisation details.

For example, my /etc/fstab had the following entry:

//WINDOWSSERVER/SHARE /mnt/windowsshare cifs credentials=/etc/samba/auth.cifs 0 0

And in the /etc/samba/auth.cifs file were the following details:

username=windowsuser
password=windowspassword

The solution to the problem was to change a SELinux boolean parameter with the following command (found here):

setsebool -P allow_mount_anyfile 1

This lets the mount command open any referenced file, effectively side-stepping the netfs error. Sure it is not 100% secure but it works without having to completely disable SELinux which seems to be most people's answer to any problems.

stressfree - selinux

Mounting CIFS shares at login with SELinux enabled