Samba shares...

Tue May 13 18:30:27 UTC 2008

Stephen Smalley wrote:
|On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
|> Daniel B. Thurman wrote:
|> |Stephen Smalley
|> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
|> ||> Stephen Smalley wrote:
|> ||> >> Daniel B. Thurman wrote:
|> ||> >> I am not sure what is going on.  I am unable to get
|> ||> >> samba shares to work for an NTFS filesystem.  I do
|> ||> >> have several shares working for ext3 filesystems.
|> ||> >> 
|> ||> >> Here is what I did:
|> ||> >> 
|> ||> >> 1) Create an empty directory: /AV
|> ||> >> 2) chcon -t samba_share_t /AV
|> ||> >> 3) chmod 775 !$
|> ||> >> 4) chgrp avusers !$
|> ||> >> 5) Add to fstab
|> ||> >>    /dev/sda1 /AV ntfs defaults 1 2
|> |   [snipped!]
|> ||
|> ||It is just another mount option, so you can just do something like:
|> ||/dev/sda1 /AV ntfs 
|> |defaults,context=system_u:object_r:samba_share_t 1 2
|> |
|> |Yes, I thought so.  I tried that and the context does not
|> |change.  Any ideas?
|> 
|> Mounting an NTFS filesystem even with context options,
|> the context always remains as fusefs_t. I am allowed
|> to change the context on the directory before the mount,
|> but not after the mount. After mounting, I am not allowed
|> to chcon the mounted FS as it says that the Operation is
|> not allowed.
|
|Can you confirm that if you umount /AV and then mount it with the
|context= option that it really doesn't work for you?  You do have to
|umount it though if you previously mounted it w/o the context option to
|make the option take affect.

Yes, I can confirm that adding context= to the option line
in /etc/fstab does not seem to do anything, i.e. the context
does not change and remains fusefs_t.  I tried several times,
and even tried the fscontext= as well, neither seems to work.

I was forced to reboot sometimes since I was not at times
able to unmount the /AV filesystem, it sometimes reports
that the /AV filesystem was 'busy'.  This seems to happen
if I mount/unmount several times then it says 'busy',
preventing me from unmounting. Hmm.

|I'm not sure why a context mount option wouldn't work for fuse - Eric?
|
|fuse itself won't let you chcon (setxattr) the files unless the
|filesystem supports setxattr, which is why you get Operation not
|supported there.
|
|> I even tried: setsebool -P samba_export_all_rw=1 and that
|> does not work, either.
|> 
|> If I setenforce 0, I can share the NTFS filesystem, but I
|> really do not want to do this.  Can someone please give me
|> a workaround?
|
|You can certainly generate a local policy module that gives access to
|fusefs_t, but it would be better if we could get the context mount
|option to work.

I will try anything you suggest.  Let me know if you can
resolve this issue, otherwise let me know (in detail) how
to write a policy as a last resort?

Thanks much!
Dan