-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul,
~ I hadn't thought to try that, but I am very interested in keeping
plaintext passwords out of /etc if at all possible. I would ideally like
to also have a couple of shares mounted this way that relate to my
"domain" user at login. Right now I leave the password out and have to
type the cifs password for each share at startup.
For example:
mount via fstab the following share:
//server/<loginname> ("Home Share")
with the following credentials file:
/home/<loginname>/.smb/server
Eric Anderson
Communication Systems Engineer
PLEXSYS Interface Products, Inc.
E-mail: eric.anderson@xxxxxxxxxxxxxx
Phone: (405) 734-6090
Fax: (405) 734-6153
Paul Howarth wrote:
| Eric Anderson wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> All,
|>
|> ~ I have run into a problem with reading a credentials file from fstab
|> at startup. I have been working with Dan Walsh and have at least a
|> temporary resolution. Details of our e-mail conversation are below:
|>
|> The problem:
|>
|> I get Error 13 talking about access denied
|> to the credentials file. If SELinux is sent to permissive, this is not
|> an issue. I have tried 20 different searches on google, samba.org and
|> several fedora sites to try to get the context required for the
|> credentials file to be accessible to the startup scripts that process
|> fstab.
|>
|> current SELinux context of credentials file:
|> # ls -lZ /root/.smb/yyy
|> - -rw-r----- root root system_u:object_r:user_home_t:s0 /root/.smb/yyy
|>
|> fstab entry:
|> //mtc1-server/progs /media/mtc1-server/progs cifs
|>
ip=xxx.xxx.xxx.xxx,credentials=/root/.smb/yyy,uid=aaaa,gid=aaaa,file_mode=0664,dir_mode=0775
|>
|> 0 0
|>
|> ~ If I use "su -" and manually mount the share, passing only the
|> directory to the mount command, it completes with no errors. This is
|> only an issue at startup.
|>
|>
|> The Resolution:
|>
|>
|> You should execute
|> # grep mount_t /var/log/audit/audit.log | audit2allow -M mysamba
|> # semodule -i mysamba.pp
|>
|> This will add the new rule.
|>
|> If anybody wants/needs more details, feel free to contact me.
|
| The solution I use, which I think is cleaner, is to put the credentials
| file in /etc/samba (where it should be labelled samba_etc_t) and to set
| the allow_mount_anyfile boolean:
|
| # setsebool -P allow_mount_anyfile 1
|
| No local policy module needed.
|
| Paul.
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHoLdXZqXKXmrU3HIRAntBAKCSOVLBR32pBT5Au+SQ7i6h6He4NACgo1q1
6Fqkw44fwsoIUDQCUE2aI2o=
=hawW
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
