SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
Daniel J Walsh
dwalsh at redhat.com
Mon Dec 31 21:00:17 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Danezis wrote:
> I am facing the exact same issues, not only when dealing with ntfs-3g
> drives, but with my RAID hard drive and my external drive also (both mounted
> as vfat). I went through all the aforementioned steps and I still haven't
> managed to resolve the issue.
>
> On Dec 17, 2007 1:27 AM, Craig Niederberger <craignied at gmail.com> wrote:
>
>> sudo /usr/sbin/setsebool -P samba_run_unconfined 1
>>
>> Strangely, exactly the same AVC denial. Anything else I can try,
>> short of turning off SELinux, which I'd prefer not to do?
>>
>> Many thanks,
>> Craig
>>
>> On Dec 16, 2007 11:09 AM, Josef Kubin <jkubin at redhat.com> wrote:
>>> Hi, it looks that you rediscovered a bug ...
>>>
>>> Craig Niederberger wrote:
>>>> Thanks for answering my post, Josef. Unfortunately, I'm getting
>>>> exactly the same AVC denial and message when trying to access the
>>>> drive from vmware. The odd thing is, I can access my home directory
>>>> from vmware without problem. The /etc/fstab entry now reads:
>>>>
>>>> /dev/sdd1 /mnt/media ntfs-3g
>>>>
>> rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t
>>>> 0 0
>>> I've tried to a little bit investigate things,
>>> in this case the forced context is completely ignored ...
>>>
>>> [root at localhost vmware]# ls -Z /mnt/
>>> drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo
>>>
>>> [root at localhost vmware]# mount -t ntfs-3g -o
>>> loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/
>>>
>>> [root at localhost vmware]# ls -Z /mnt/
>>> drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
>>>
>>> [root at localhost vmware]# umount /mnt/foo/
>>>
>>> [root at localhost vmware]# mount -t ntfs-3g -o
>>> context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/
>>>
>>> [root at localhost vmware]# ls -Z /mnt/
>>> drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>> But not in this case.
>>>
>>> [root at localhost vmware]# cat /dev/zero > file
>>> [root at localhost vmware]# mkfs.ext3 file
>>> ...
>>> [root at localhost vmware]# mount -o
>>> loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/
>>>
>>> [root at localhost vmware]# ls -Z /mnt/
>>> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo
>>>
>>> Similar bug(s) has been already reported.
>>> https://bugzilla.redhat.com/show_bug.cgi?id=216846
>>>
>>>
>>> Following command should help :-(
>>>
>>> # setsebool -P samba_run_unconfined 1
>>>
>>> Bye.
>>> Josef
>>>
>>>
>>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can update your policy to allow this
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
# semodule -i mysamba.pp
Then please open a bugzilla on this. It might be a kernel problem. Or
we can fix it in policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkd5WGAACgkQrlYvE4MpobOkHQCgomIisTsODRTk7fZhawRTNUtK
zDQAoNJN/8ipYiE0WrqElrQIE8AUhqFJ
=MygV
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list