Samba shares...

Daniel J Walsh dwalsh at redhat.com
Tue May 13 18:46:06 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel B. Thurman wrote:
> Stephen Smalley wrote:
> |On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote:
> |> Daniel B. Thurman wrote:
> |> |Stephen Smalley
> |> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote:
> |> ||> Stephen Smalley wrote:
> |> ||> >> Daniel B. Thurman wrote:
> |> ||> >> I am not sure what is going on.  I am unable to get
> |> ||> >> samba shares to work for an NTFS filesystem.  I do
> |> ||> >> have several shares working for ext3 filesystems.
> |> ||> >> 
> |> ||> >> Here is what I did:
> |> ||> >> 
> |> ||> >> 1) Create an empty directory: /AV
> |> ||> >> 2) chcon -t samba_share_t /AV
> |> ||> >> 3) chmod 775 !$
> |> ||> >> 4) chgrp avusers !$
> |> ||> >> 5) Add to fstab
> |> ||> >>    /dev/sda1 /AV ntfs defaults 1 2
> |> |   [snipped!]
> |> ||
> |> ||It is just another mount option, so you can just do something like:
> |> ||/dev/sda1 /AV ntfs 
> |> |defaults,context=system_u:object_r:samba_share_t 1 2
> |> |
> |> |Yes, I thought so.  I tried that and the context does not
> |> |change.  Any ideas?
> |> 
> |> Mounting an NTFS filesystem even with context options,
> |> the context always remains as fusefs_t. I am allowed
> |> to change the context on the directory before the mount,
> |> but not after the mount. After mounting, I am not allowed
> |> to chcon the mounted FS as it says that the Operation is
> |> not allowed.
> |
> |Can you confirm that if you umount /AV and then mount it with the
> |context= option that it really doesn't work for you?  You do have to
> |umount it though if you previously mounted it w/o the context option to
> |make the option take affect.
> 
> Yes, I can confirm that adding context= to the option line
> in /etc/fstab does not seem to do anything, i.e. the context
> does not change and remains fusefs_t.  I tried several times,
> and even tried the fscontext= as well, neither seems to work.
> 
> I was forced to reboot sometimes since I was not at times
> able to unmount the /AV filesystem, it sometimes reports
> that the /AV filesystem was 'busy'.  This seems to happen
> if I mount/unmount several times then it says 'busy',
> preventing me from unmounting. Hmm.
> 
> |I'm not sure why a context mount option wouldn't work for fuse - Eric?
> |
> |fuse itself won't let you chcon (setxattr) the files unless the
> |filesystem supports setxattr, which is why you get Operation not
> |supported there.
> |
> |> I even tried: setsebool -P samba_export_all_rw=1 and that
> |> does not work, either.
> |> 
> |> If I setenforce 0, I can share the NTFS filesystem, but I
> |> really do not want to do this.  Can someone please give me
> |> a workaround?
> |
> |You can certainly generate a local policy module that gives access to
> |fusefs_t, but it would be better if we could get the context mount
> |option to work.
> 
> I will try anything you suggest.  Let me know if you can
> resolve this issue, otherwise let me know (in detail) how
> to write a policy as a last resort?
> 
> Thanks much!
> Dan
This looks like a bug.

If you are using fedora 9 policy it has a boolean

samba_share_fusefs

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgp4e4ACgkQrlYvE4MpobN14ACg1mVCa9sxAoDThvTwSMW5v+2C
etcAoIVXMYbp+hBFVWzjDjVP2VYh7Iaf
=VZTf
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list