mounting of samba shares via fstab in F8 (and recently updated F7)
Paul Howarth
paul at city-fan.org
Wed Jan 30 17:33:56 UTC 2008
Eric Anderson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> ~ I have run into a problem with reading a credentials file from fstab
> at startup. I have been working with Dan Walsh and have at least a
> temporary resolution. Details of our e-mail conversation are below:
>
> The problem:
>
> I get Error 13 talking about access denied
> to the credentials file. If SELinux is sent to permissive, this is not
> an issue. I have tried 20 different searches on google, samba.org and
> several fedora sites to try to get the context required for the
> credentials file to be accessible to the startup scripts that process
> fstab.
>
> current SELinux context of credentials file:
> # ls -lZ /root/.smb/yyy
> - -rw-r----- root root system_u:object_r:user_home_t:s0 /root/.smb/yyy
>
> fstab entry:
> //mtc1-server/progs /media/mtc1-server/progs cifs
> ip=xxx.xxx.xxx.xxx,credentials=/root/.smb/yyy,uid=aaaa,gid=aaaa,file_mode=0664,dir_mode=0775
>
> 0 0
>
> ~ If I use "su -" and manually mount the share, passing only the
> directory to the mount command, it completes with no errors. This is
> only an issue at startup.
>
>
> The Resolution:
>
>
> You should execute
> # grep mount_t /var/log/audit/audit.log | audit2allow -M mysamba
> # semodule -i mysamba.pp
>
> This will add the new rule.
>
> If anybody wants/needs more details, feel free to contact me.
The solution I use, which I think is cleaner, is to put the credentials
file in /etc/samba (where it should be labelled samba_etc_t) and to set
the allow_mount_anyfile boolean:
# setsebool -P allow_mount_anyfile 1
No local policy module needed.
Paul.
More information about the fedora-selinux-list
mailing list