Daniel B. Thurman
dant at cdkkt.com
Tue May 13 18:30:27 UTC 2008
Stephen Smalley wrote:
|On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
|> Daniel B. Thurman wrote:
|> |Stephen Smalley
|> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
|> ||> Stephen Smalley wrote:
|> ||> >> Daniel B. Thurman wrote:
|> ||> >> I am not sure what is going on. I am unable to get
|> ||> >> samba shares to work for an NTFS filesystem. I do
|> ||> >> have several shares working for ext3 filesystems.
|> ||> >>
|> ||> >> Here is what I did:
|> ||> >>
|> ||> >> 1) Create an empty directory: /AV
|> ||> >> 2) chcon -t samba_share_t /AV
|> ||> >> 3) chmod 775 !$
|> ||> >> 4) chgrp avusers !$
|> ||> >> 5) Add to fstab
|> ||> >> /dev/sda1 /AV ntfs defaults 1 2
|> | [snipped!]
|> ||It is just another mount option, so you can just do something like:
|> ||/dev/sda1 /AV ntfs
|> |defaults,context=system_u:object_r:samba_share_t 1 2
|> |Yes, I thought so. I tried that and the context does not
|> |change. Any ideas?
|> Mounting an NTFS filesystem even with context options,
|> the context always remains as fusefs_t. I am allowed
|> to change the context on the directory before the mount,
|> but not after the mount. After mounting, I am not allowed
|> to chcon the mounted FS as it says that the Operation is
|> not allowed.
|Can you confirm that if you umount /AV and then mount it with the
|context= option that it really doesn't work for you? You do have to
|umount it though if you previously mounted it w/o the context option to
|make the option take affect.
Yes, I can confirm that adding context= to the option line
in /etc/fstab does not seem to do anything, i.e. the context
does not change and remains fusefs_t. I tried several times,
and even tried the fscontext= as well, neither seems to work.
I was forced to reboot sometimes since I was not at times
able to unmount the /AV filesystem, it sometimes reports
that the /AV filesystem was 'busy'. This seems to happen
if I mount/unmount several times then it says 'busy',
preventing me from unmounting. Hmm.
|I'm not sure why a context mount option wouldn't work for fuse - Eric?
|fuse itself won't let you chcon (setxattr) the files unless the
|filesystem supports setxattr, which is why you get Operation not
|> I even tried: setsebool -P samba_export_all_rw=1 and that
|> does not work, either.
|> If I setenforce 0, I can share the NTFS filesystem, but I
|> really do not want to do this. Can someone please give me
|> a workaround?
|You can certainly generate a local policy module that gives access to
|fusefs_t, but it would be better if we could get the context mount
|option to work.
I will try anything you suggest. Let me know if you can
resolve this issue, otherwise let me know (in detail) how
to write a policy as a last resort?
More information about the fedora-selinux-list