Samba shares...

Stephen Smalley sds at tycho.nsa.gov
Tue May 13 17:37:42 UTC 2008 

On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
> Daniel B. Thurman wrote:
> |Stephen Smalley
> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
> ||> Stephen Smalley wrote:
> ||> >> Daniel B. Thurman wrote:
> ||> >> I am not sure what is going on.  I am unable to get
> ||> >> samba shares to work for an NTFS filesystem.  I do
> ||> >> have several shares working for ext3 filesystems.
> ||> >> 
> ||> >> Here is what I did:
> ||> >> 
> ||> >> 1) Create an empty directory: /AV
> ||> >> 2) chcon -t samba_share_t /AV
> ||> >> 3) chmod 775 !$
> ||> >> 4) chgrp avusers !$
> ||> >> 5) Add to fstab
> ||> >>    /dev/sda1 /AV ntfs defaults 1 2
> |   [snipped!]
> ||
> ||It is just another mount option, so you can just do something like:
> ||/dev/sda1 /AV ntfs 
> |defaults,context=system_u:object_r:samba_share_t 1 2
> |
> |Yes, I thought so.  I tried that and the context does not
> |change.  Any ideas?
> 
> Mounting an NTFS filesystem even with context options,
> the context always remains as fusefs_t. I am allowed
> to change the context on the directory before the mount,
> but not after the mount. After mounting, I am not allowed
> to chcon the mounted FS as it says that the Operation is
> not allowed.

Can you confirm that if you umount /AV and then mount it with the
context= option that it really doesn't work for you?  You do have to
umount it though if you previously mounted it w/o the context option to
make the option take affect.

I'm not sure why a context mount option wouldn't work for fuse - Eric?

fuse itself won't let you chcon (setxattr) the files unless the
filesystem supports setxattr, which is why you get Operation not
supported there.

> I even tried: setsebool -P samba_export_all_rw=1 and that
> does not work, either.
> 
> If I setenforce 0, I can share the NTFS filesystem, but I
> really do not want to do this.  Can someone please give me
> a workaround?

You can certainly generate a local policy module that gives access to
fusefs_t, but it would be better if we could get the context mount
option to work.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list