Re: SELinux prevents Samba from sharing NTFS mounts.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Petteri Kautonen wrote:
> Hi,
> I have F8 and every time to I try to access remotely or locally NTFS filesystems 
> that shared via Samba I get a warning (at the end of this mesage) from SELinux 
> troubleshooter and can't access the share.
> I have tried to mount the filesystem with different context's but none of them 
> seem to do anything. The shares worked with previous version of Fedora (F7). I 
> have tried to mount the NTFS volume doing the following to change it context:
> * mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o context=system_u:system_r:smbd_t
> * mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o context=system_u:object_r:smbd_t
> * mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o 
> fscontext=system_u:object_r:samba_share_t
> and various other mount options such as defcontext= and changed the context=, 
> fscontext=, and defcontext= parameter values.
> But the context stays the same (ls --lcontext):
> drwxrwxrwx  1 _system_u:object_r:fusefs_t_       root root 12288 2007-12-12 
> 21:13 petteri-c
> 
> So how I am going tho get SELinux to allow Samba to share mounted NTFS 
> filesystem? (Sorry about the newbie question :( and possibly bad english).
> SELinux is enforcing/targetted and all the booleans that refer to smbd are 
> checked allow from SELinux Administration.
> 
> /Summary
>     SELinux is preventing samba (smbd) "read" to <Unknown> (fusefs_t).
> 
> Detailed Description
>     SELinux denied samba access to <Unknown>. If you want to share this
>     directory with samba it has to have a file context label of samba_share_t.
>     If you did not intend to use <Unknown> as a samba repository it could
>     indicate either a bug or it could signal a intrusion attempt.
> 
> Allowing Access
>     You can alter the file context by executing chcon -R -t samba_share_t
>     <Unknown> You must also change the default file context files on the system
>     in order to preserve them even on a full relabel.  "semanage fcontext -a -t
>     samba_share_t <Unknown>"
> 
>     The following command will allow this access:
>     chcon -R -t samba_share_t <Unknown>
> 
> Additional Information       
> 
> Source Context                system_u:system_r:smbd_t
> Target Context                system_u:object_r:fusefs_t
> Target Objects                None [ dir ]
> Affected RPM Packages        
> Policy RPM                    selinux-policy-3.0.8-64.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.samba_share
> Host Name                     petteri
> Platform                      Linux petteri 2.6.23.8-63.fc8 #1 SMP Wed Nov 21
>                               18:51:08 EST 2007 i686 athlon
> Alert Count                   126
> First Seen                    ke 14. marraskuuta 2007 15:57:05
> Last Seen                     to 13. joulukuuta 2007 07:13:17
> Local ID                      2f2fd1b5-757e-4b37-a44f-eb76e86a81c2
> Line Numbers                 
> 
> Raw Audit Messages           
> 
> avc: denied { read } for comm=smbd dev=sda1 name=/ pid=21782
> scontext=system_u:system_r:smbd_t:s0 tclass=dir
> tcontext=system_u:object_r:fusefs_t:s0
> 
> 
> /
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You should mount them as samba_share_t

mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
context=system_u:system_r:samba_share_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHYaCVrlYvE4MpobMRAlNtAJ9UfV6sOAhND/uks/42NURRaAvoYgCgkKln
J1bCcg2QLpKUv+Ao1dxq+eU=
=dbrj
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux