Changing Permisions

Scot Elkington elkingto at lasp.colorado.edu
Mon Feb 21 17:37:21 UTC 2005 

Hi John-- this isn't really an SELinux issue, so I'm replying off-line.
If it helps, here's what I did for a similar setup in a fashion that makes
some use of the standard unix/linux DAC-based security system.

Your fat32 partition is being mounted by default with owner/group of root.
A solution for me was to change the group assigned to that partition, then
associate those users I wanted to allow access to the fat32 partition with
that group.  By giving read/write/execute permissions to that group,
non-root users can access the partition.

So create a group for the people you wish to allow access to your windows
partition.  For example, from the command line in fedora, type
system-config-users, or otherwise select 'Users and Groups' from the
'System Settings' menu.  In the resulting window, click the 'Add Group'
button and create a name for your windows-users group (I named my group
"dos").  Now click the 'groups' tab and you should see your newly-created
group, along with the Group ID number of your group, a three-digit number
like '502'.  Make a note of your new group ID number.  (you can also find
the group id by examining the file /etc/group).

Now doubleclick your new group, and click on the 'Group Users' tab in the
new window.  There will be a whole slew of system-specific users there;
find among them the usernames of those users you wish to allow access to
your windows partition and add them to the group by checking them off.
You can do the same thing by instead clicking the 'Users' tab in the main
window of the users/groups gui, double-clicking each user you wish to add,
and checking off the "DOS" group (or equivalent) in the 'Groups' tab of
the new window.

Now we need to make sure the partition gets mounted under the DOS group
each time at boot.  As root, open the file /etc/fstab ('file system
table') for editing. You should see a list of 6 or so space-delimited
fields describing each partition you mount in your installation.
Identify your windows partition, which you can probably find from the
mount point in the second column or the filesystem type in the third
column ('vfat').  In the fourth column, make sure it reads
"defaults,gid=YOURGROUPID,umask=007", where YOURGROUPID is the group ID
number of the new group noted above.

On my system, for example, the appropriate line in /etc/fstab now looks
like

  /dev/hda1    /win98    vfat  defaults,gid=502,umask=007   0  0

This tells the system to mount the windows partition at /dev/hda1 under
the root directory /win98, assign it to the group 502 (my 'dos' group),
and set default permissions to 770:  root gets read/write/execute
permissions, anyone in group DOS gets read/write/execute, and anyone not
explicitly in group DOS can neither see nor write to the windows
partition.

Now reboot.  when linux comes back up, type 'ls -l /' at the command line
and you should see the directory your windows partition is mounted under
listed something as follows:

drwxrwx---  9 root    dos   4096  Apr 1  13:21  win98

Hope those suggestions help.  let me know if you have any questions.....

--scot

__________
Scot R. Elkington                       Voice:          303-735-0810
LASP, University of Colorado            Fax:            303-492-6444
1234 Innovation Drive                   scot.elkington at lasp.colorado.edu
Boulder, CO 80303                       http://lasp.colorado.edu/~elkingto


> Date: Sat, 19 Feb 2005 18:00:52 -0600
> From: "John Ramsbacher" <jbbacher at hotmail.com>
> Subject: Changing Permisions
> To: fedora-selinux-list at redhat.com
>
> I'm a N00b so be patient.
>
> I've installed Fedora Core 3 on a duel boot system with windows 98 (fat 32)
> and have mounted the windows partition from Fedora but find that I can only
> write to the windows partition if I'm logged in as root.  How do I change
> the permissions to allow me to write to certain folders on the windows
> partition without compromising the security biult into SELinux.  Remember
> that I'm new to this so try to explain it step by step or point me to a web
> page that explains it step by step.  Much Thanks.  John
>
>

More information about the fedora-selinux-list mailing list