[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
RE: Samba shares...
- From: Stephen Smalley <sds tycho nsa gov>
- To: "Daniel B. Thurman" <dant cdkkt com>
- Cc: Eric Paris <eparis parisplace org>, Daniel J Walsh <dwalsh redhat com>, "Fedora-Selinux-List \(E-mail\)" <fedora-selinux-list redhat com>
- Subject: RE: Samba shares...
- Date: Tue, 13 May 2008 13:37:42 -0400
On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
> Daniel B. Thurman wrote:
> |Stephen Smalley
> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
> ||> Stephen Smalley wrote:
> ||> >> Daniel B. Thurman wrote:
> ||> >> I am not sure what is going on. I am unable to get
> ||> >> samba shares to work for an NTFS filesystem. I do
> ||> >> have several shares working for ext3 filesystems.
> ||> >>
> ||> >> Here is what I did:
> ||> >>
> ||> >> 1) Create an empty directory: /AV
> ||> >> 2) chcon -t samba_share_t /AV
> ||> >> 3) chmod 775 !$
> ||> >> 4) chgrp avusers !$
> ||> >> 5) Add to fstab
> ||> >> /dev/sda1 /AV ntfs defaults 1 2
> | [snipped!]
> ||
> ||It is just another mount option, so you can just do something like:
> ||/dev/sda1 /AV ntfs
> |defaults,context=system_u:object_r:samba_share_t 1 2
> |
> |Yes, I thought so. I tried that and the context does not
> |change. Any ideas?
>
> Mounting an NTFS filesystem even with context options,
> the context always remains as fusefs_t. I am allowed
> to change the context on the directory before the mount,
> but not after the mount. After mounting, I am not allowed
> to chcon the mounted FS as it says that the Operation is
> not allowed.
Can you confirm that if you umount /AV and then mount it with the
context= option that it really doesn't work for you? You do have to
umount it though if you previously mounted it w/o the context option to
make the option take affect.
I'm not sure why a context mount option wouldn't work for fuse - Eric?
fuse itself won't let you chcon (setxattr) the files unless the
filesystem supports setxattr, which is why you get Operation not
supported there.
> I even tried: setsebool -P samba_export_all_rw=1 and that
> does not work, either.
>
> If I setenforce 0, I can share the NTFS filesystem, but I
> really do not want to do this. Can someone please give me
> a workaround?
You can certainly generate a local policy module that gives access to
fusefs_t, but it would be better if we could get the context mount
option to work.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]