Samba shares...
Daniel B. Thurman
dant at cdkkt.com
Tue May 13 19:09:34 UTC 2008
Daniel J Walsh
|Daniel B. Thurman wrote:
|> Stephen Smalley wrote:
|> |On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
|> |> Daniel B. Thurman wrote:
|> |> |Stephen Smalley
|> |> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
|> |> ||> Stephen Smalley wrote:
|> |> ||> >> Daniel B. Thurman wrote:
|> |> ||> >> I am not sure what is going on. I am unable to get
|> |> ||> >> samba shares to work for an NTFS filesystem. I do
|> |> ||> >> have several shares working for ext3 filesystems.
|> |> ||> >>
|> |> ||> >> Here is what I did:
|> |> ||> >>
|> |> ||> >> 1) Create an empty directory: /AV
|> |> ||> >> 2) chcon -t samba_share_t /AV
|> |> ||> >> 3) chmod 775 !$
|> |> ||> >> 4) chgrp avusers !$
|> |> ||> >> 5) Add to fstab
|> |> ||> >> /dev/sda1 /AV ntfs defaults 1 2
|> |> | [snipped!]
|> |> ||
|> |> ||It is just another mount option, so you can just do
|something like:
|> |> ||/dev/sda1 /AV ntfs
|> |> |defaults,context=system_u:object_r:samba_share_t 1 2
|> |> |
|> |> |Yes, I thought so. I tried that and the context does not
|> |> |change. Any ideas?
|> |>
|> |> Mounting an NTFS filesystem even with context options,
|> |> the context always remains as fusefs_t. I am allowed
|> |> to change the context on the directory before the mount,
|> |> but not after the mount. After mounting, I am not allowed
|> |> to chcon the mounted FS as it says that the Operation is
|> |> not allowed.
|> |
|> |Can you confirm that if you umount /AV and then mount it with the
|> |context= option that it really doesn't work for you? You do have to
|> |umount it though if you previously mounted it w/o the
|context option to
|> |make the option take affect.
|>
|> Yes, I can confirm that adding context= to the option line
|> in /etc/fstab does not seem to do anything, i.e. the context
|> does not change and remains fusefs_t. I tried several times,
|> and even tried the fscontext= as well, neither seems to work.
|>
|> I was forced to reboot sometimes since I was not at times
|> able to unmount the /AV filesystem, it sometimes reports
|> that the /AV filesystem was 'busy'. This seems to happen
|> if I mount/unmount several times then it says 'busy',
|> preventing me from unmounting. Hmm.
|>
|> |I'm not sure why a context mount option wouldn't work for
|fuse - Eric?
|> |
|> |fuse itself won't let you chcon (setxattr) the files unless the
|> |filesystem supports setxattr, which is why you get Operation not
|> |supported there.
|> |
|> |> I even tried: setsebool -P samba_export_all_rw=1 and that
|> |> does not work, either.
|> |>
|> |> If I setenforce 0, I can share the NTFS filesystem, but I
|> |> really do not want to do this. Can someone please give me
|> |> a workaround?
|> |
|> |You can certainly generate a local policy module that gives
|access to
|> |fusefs_t, but it would be better if we could get the context mount
|> |option to work.
|>
|> I will try anything you suggest. Let me know if you can
|> resolve this issue, otherwise let me know (in detail) how
|> to write a policy as a last resort?
|>
|> Thanks much!
|> Dan
|This looks like a bug.
Seems so. Also, I tried disabling the fuse service
and rebooted and for some reason, the fusefs still
runs? It still mounts /media files even when this
service is so-called disabled? I went back to look
to see if the service was running (it wasn't) and
even tried ps -ef| grep fuse (finding no match), so
why is fuse filesystem still running? Is that a major
bug or is it that the fuse service has no relation to
the fusefs?
Well, can I have a policy work around or will it fail
anyway due to fuse?
BTW: I am running Fedora F8.
Thanks!
Dan
More information about the fedora-selinux-list
mailing list