samba & selinux
John Summerfield
debian at herakles.homelinux.org
Fri Nov 2 06:39:03 UTC 2007
McGuffey, David C. wrote:
> Have had an interesting time getting samba to serve up files on F7.
> After doing a lot of rftm and tinkering, it will share test files in
> /mnt/winxp_data for both localhost and remote windowz boxes on the LAN.
> However when I remove the test files (created with 'touch') and mount an
> ntfs partition, I get an selinux error. From the error I deduce that the
> selinux type for winxp_data is fusefs_t, and it needs to be
> samba_share_t.
>
I expect it will work when you find the magic incantation of the mount
command. I think you need to override the context.
This is how I mounted an ISO so I could serve it from Apache:
/var/local/mirrors/linux/ScientificLinux/5.0/SL-5.0-050407-i386-DVD.iso
/mnt/SL5 iso9660
ro,nosuid,nodev,noexec,loop,context=system_u:object_r:httpd_sys_content_t:s0
0 0
That's all one line
> But when I try to change the type (using the guidance in the selinux
> error message) I get another error.
>
> Is it the way I'm mounting the ntfs partition? Have read that mounting
> ntfs partitions and sharing them with samba is problematic. Some report
> success by doing the following in fstab:
> /dev/sdb2 /mnt/winxp_data ntfs defaults 1
> 2
> But that doesn't seem to solve the problem...at least in my case.
>
> In the end, I'll be formatting /dev/sdb2 as an ext3 partition, and
> copying all of my ntfs data to it from /dev/sdb1, and then sharing out
> the data from a linux partition. /dev/sdb1 will remain for dual-boot to
> WinXP until my conversion to linux is complete. But for now, I'd like to
> get samba to share this ntfs partition. Any tips?
>
> selinux error message:
>
> Summary
> SELinux is preventing samba (/usr/sbin/smbd) "getattr" to
> /mnt/winxp_data (fusefs_t).
>
> Detailed Description
> SELinux denied samba access to /mnt/winxp_data. If you want to share
> this directory with samba it has to have a file context label of
> samba_share_t.
> If you did not intend to use /mnt/winxp_data as a samba repository
> it could indicate either a bug or it could signal a intrusion attempt.
>
> Allowing Access
> You can alter the file context by executing chcon -R -t
> samba_share_t
> /mnt/winxp_data
>
> The following command will allow this access:
> chcon -R -t samba_share_t /mnt/winxp_data
>
> Additional Information
>
> Source Context system_u:system_r:smbd_t
> Target Context system_u:object_r:fusefs_t
> Target Objects /mnt/winxp_data [ dir ]
> Affected RPM Packages samba-3.0.26a-0.fc7 [application]
> Policy RPM selinux-policy-2.6.4-48.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.samba_share
> Host Name desk.x.x
> Platform Linux desk.x.x
> 2.6.23.1-10.fc7 #1
> SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686
> Alert Count 7
> First Seen Mon 29 Oct 2007 07:15:02 PM EDT
> Last Seen Wed 31 Oct 2007 09:40:07 PM EDT
> Local ID x
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm="smbd" dev=sdb2 egid=500 euid=500
> exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0
> path="/mnt/winxp_data" pid=2856 scontext=system_u:system_r:smbd_t:s0
> sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:fusefs_t:s0 tty=(none) uid=500
>
>
> [root at desk ~]# ls --lcontext /mnt
> total 4
> drwxrwxrwx 1 system_u:object_r:fusefs_t root root 4096 2007-10-30
> 21:09 winxp_data
> [root at desk ~]# chcon -t samba_share_t /mnt/winxp_data
> chcon: failed to change context of /mnt/winxp_data to
> system_u:object_r:samba_share_t: Operation not supported
> [root at desk ~]#
>
> Dave McGuffey
> Principal Information System Security Engineer // NSA-IEM, NSA-IAM
> SAIC, IISBU, Columbia, MD
>
>
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
More information about the fedora-list
mailing list