sds at tycho.nsa.gov
Wed May 14 13:35:48 UTC 2008
On Wed, 2008-05-14 at 09:23 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Daniel B. Thurman wrote:
> | Stephen Smalley
> | |Daniel B. Thurman wrote:
> | |> |You can certainly generate a local policy module that gives
> | |> |access to fusefs_t, but it would be better if we could get
> | |> |the context mount option to work.
> | |>
> | |> I will try anything you suggest. Let me know if you can
> | |> resolve this issue, otherwise let me know (in detail) how
> | |> to write a policy as a last resort?
> | |
> | |To generate local policy for this issue, you'd do something like this:
> | |
> | |$ su -
> | |# ausearch -m AVC | grep fuse | audit2allow -M myfuse
> | |# semodule -i myfuse.pp
> | |
> | |Then the fuse-related denials should be allowed.
> | Uh, almost. It still will not allow me to chmod or chgrp
> | the mounted filesystem which means that I cannot write to
> | the shared NTFS filesystem without assigning the proper
> | permissions. I have set samba properties to allow writes
> | but apparently this problem resides with fuse again. Grr.
> | What can I do to allow samba shared writes?
> | Thanks!
> | Dan
> Look for additional AVC's with ausearch
> You can run the above command another time.
> You can put the machine into permissive mode and gather all of the AVC
> setenforce 0
> Run your test
> ausearch -m AVC | grep fuse | audit2allow -M myfuse
> semodule -i myfuse.pp
> setenforce 1
Is he really encountering permission denials from SELinux, or are these
denials from fuse? fuse does have special restrictions imposed on it
that wouldn't apply to the native ntfs support.
National Security Agency
More information about the fedora-selinux-list