Eric Anderson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
~ I have run into a problem with reading a credentials file from fstab
at startup. I have been working with Dan Walsh and have at least a
temporary resolution. Details of our e-mail conversation are below:
The problem:
I get Error 13 talking about access denied
to the credentials file. If SELinux is sent to permissive, this is not
an issue. I have tried 20 different searches on google, samba.org and
several fedora sites to try to get the context required for the
credentials file to be accessible to the startup scripts that process
fstab.
current SELinux context of credentials file:
# ls -lZ /root/.smb/yyy
- -rw-r----- root root system_u:object_r:user_home_t:s0 /root/.smb/yyy
fstab entry:
//mtc1-server/progs /media/mtc1-server/progs cifs
ip=xxx.xxx.xxx.xxx,credentials=/root/.smb/yyy,uid=aaaa,gid=aaaa,file_mode=0664,dir_mode=0775
0 0
~ If I use "su -" and manually mount the share, passing only the
directory to the mount command, it completes with no errors. This is
only an issue at startup.
The Resolution:
You should execute
# grep mount_t /var/log/audit/audit.log | audit2allow -M mysamba
# semodule -i mysamba.pp
This will add the new rule.
If anybody wants/needs more details, feel free to contact me.
The solution I use, which I think is cleaner, is to put the credentials
file in /etc/samba (where it should be labelled samba_etc_t) and to set
the allow_mount_anyfile boolean:
# setsebool -P allow_mount_anyfile 1
No local policy module needed.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
