Samba shares...

[Stephen Smalley]

On Wed, 2008-05-14 at 09:23 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Daniel B. Thurman wrote:
> | Stephen Smalley
> | |Daniel B. Thurman wrote:
> | |> |You can certainly generate a local policy module that gives
> | |> |access to fusefs_t, but it would be better if we could get
> | |> |the context mount option to work.
> | |>
> | |> I will try anything you suggest.  Let me know if you can
> | |> resolve this issue, otherwise let me know (in detail) how
> | |> to write a policy as a last resort?
> | |
> | |To generate local policy for this issue, you'd do something like this:
> | |
> | |$ su -
> | |# ausearch -m AVC | grep fuse | audit2allow -M myfuse
> | |# semodule -i myfuse.pp
> | |
> | |Then the fuse-related denials should be allowed.
> |
> | Uh, almost.  It still will not allow me to chmod or chgrp
> | the mounted filesystem which means that I cannot write to
> | the shared NTFS filesystem without assigning the proper
> | permissions. I have set samba properties to allow writes
> | but apparently this problem resides with fuse again. Grr.
> |
> | What can I do to allow samba shared writes?
> |
> | Thanks!
> | Dan
> Look for additional AVC's with ausearch
> 
> You can run the above command another time.
> 
> You can put the machine into permissive mode and gather all of the AVC
> messages
> 
> setenforce 0
> Run your test
> ausearch -m AVC | grep fuse | audit2allow -M myfuse
> semodule -i myfuse.pp
> setenforce 1

Is he really encountering permission denials from SELinux, or are these
denials from fuse?  fuse does have special restrictions imposed on it
that wouldn't apply to the native ntfs support.

-- 
Stephen Smalley
National Security Agency