On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote: > Daniel B. Thurman wrote: > |Stephen Smalley > ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote: > ||> Stephen Smalley wrote: > ||> >> Daniel B. Thurman wrote: > ||> >> I am not sure what is going on. I am unable to get > ||> >> samba shares to work for an NTFS filesystem. I do > ||> >> have several shares working for ext3 filesystems. > ||> >> > ||> >> Here is what I did: > ||> >> > ||> >> 1) Create an empty directory: /AV > ||> >> 2) chcon -t samba_share_t /AV > ||> >> 3) chmod 775 !$ > ||> >> 4) chgrp avusers !$ > ||> >> 5) Add to fstab > ||> >> /dev/sda1 /AV ntfs defaults 1 2 > | [snipped!] > || > ||It is just another mount option, so you can just do something like: > ||/dev/sda1 /AV ntfs > |defaults,context=system_u:object_r:samba_share_t 1 2 > | > |Yes, I thought so. I tried that and the context does not > |change. Any ideas? > > Mounting an NTFS filesystem even with context options, > the context always remains as fusefs_t. I am allowed > to change the context on the directory before the mount, > but not after the mount. After mounting, I am not allowed > to chcon the mounted FS as it says that the Operation is > not allowed. Can you confirm that if you umount /AV and then mount it with the context= option that it really doesn't work for you? You do have to umount it though if you previously mounted it w/o the context option to make the option take affect. I'm not sure why a context mount option wouldn't work for fuse - Eric? fuse itself won't let you chcon (setxattr) the files unless the filesystem supports setxattr, which is why you get Operation not supported there. > I even tried: setsebool -P samba_export_all_rw=1 and that > does not work, either. > > If I setenforce 0, I can share the NTFS filesystem, but I > really do not want to do this. Can someone please give me > a workaround? You can certainly generate a local policy module that gives access to fusefs_t, but it would be better if we could get the context mount option to work. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
