Daniel J Walsh
dwalsh at redhat.com
Tue May 13 18:46:06 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Daniel B. Thurman wrote:
> Stephen Smalley wrote:
> |On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
> |> Daniel B. Thurman wrote:
> |> |Stephen Smalley
> |> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
> |> ||> Stephen Smalley wrote:
> |> ||> >> Daniel B. Thurman wrote:
> |> ||> >> I am not sure what is going on. I am unable to get
> |> ||> >> samba shares to work for an NTFS filesystem. I do
> |> ||> >> have several shares working for ext3 filesystems.
> |> ||> >>
> |> ||> >> Here is what I did:
> |> ||> >>
> |> ||> >> 1) Create an empty directory: /AV
> |> ||> >> 2) chcon -t samba_share_t /AV
> |> ||> >> 3) chmod 775 !$
> |> ||> >> 4) chgrp avusers !$
> |> ||> >> 5) Add to fstab
> |> ||> >> /dev/sda1 /AV ntfs defaults 1 2
> |> | [snipped!]
> |> ||
> |> ||It is just another mount option, so you can just do something like:
> |> ||/dev/sda1 /AV ntfs
> |> |defaults,context=system_u:object_r:samba_share_t 1 2
> |> |
> |> |Yes, I thought so. I tried that and the context does not
> |> |change. Any ideas?
> |> Mounting an NTFS filesystem even with context options,
> |> the context always remains as fusefs_t. I am allowed
> |> to change the context on the directory before the mount,
> |> but not after the mount. After mounting, I am not allowed
> |> to chcon the mounted FS as it says that the Operation is
> |> not allowed.
> |Can you confirm that if you umount /AV and then mount it with the
> |context= option that it really doesn't work for you? You do have to
> |umount it though if you previously mounted it w/o the context option to
> |make the option take affect.
> Yes, I can confirm that adding context= to the option line
> in /etc/fstab does not seem to do anything, i.e. the context
> does not change and remains fusefs_t. I tried several times,
> and even tried the fscontext= as well, neither seems to work.
> I was forced to reboot sometimes since I was not at times
> able to unmount the /AV filesystem, it sometimes reports
> that the /AV filesystem was 'busy'. This seems to happen
> if I mount/unmount several times then it says 'busy',
> preventing me from unmounting. Hmm.
> |I'm not sure why a context mount option wouldn't work for fuse - Eric?
> |fuse itself won't let you chcon (setxattr) the files unless the
> |filesystem supports setxattr, which is why you get Operation not
> |supported there.
> |> I even tried: setsebool -P samba_export_all_rw=1 and that
> |> does not work, either.
> |> If I setenforce 0, I can share the NTFS filesystem, but I
> |> really do not want to do this. Can someone please give me
> |> a workaround?
> |You can certainly generate a local policy module that gives access to
> |fusefs_t, but it would be better if we could get the context mount
> |option to work.
> I will try anything you suggest. Let me know if you can
> resolve this issue, otherwise let me know (in detail) how
> to write a policy as a last resort?
> Thanks much!
This looks like a bug.
If you are using fedora 9 policy it has a boolean
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list