Stephen Smalley wrote: |On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote: |> Daniel B. Thurman wrote: |> |Stephen Smalley |> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote: |> ||> Stephen Smalley wrote: |> ||> >> Daniel B. Thurman wrote: |> ||> >> I am not sure what is going on. I am unable to get |> ||> >> samba shares to work for an NTFS filesystem. I do |> ||> >> have several shares working for ext3 filesystems. |> ||> >> |> ||> >> Here is what I did: |> ||> >> |> ||> >> 1) Create an empty directory: /AV |> ||> >> 2) chcon -t samba_share_t /AV |> ||> >> 3) chmod 775 !$ |> ||> >> 4) chgrp avusers !$ |> ||> >> 5) Add to fstab |> ||> >> /dev/sda1 /AV ntfs defaults 1 2 |> | [snipped!] |> || |> ||It is just another mount option, so you can just do something like: |> ||/dev/sda1 /AV ntfs |> |defaults,context=system_u:object_r:samba_share_t 1 2 |> | |> |Yes, I thought so. I tried that and the context does not |> |change. Any ideas? |> |> Mounting an NTFS filesystem even with context options, |> the context always remains as fusefs_t. I am allowed |> to change the context on the directory before the mount, |> but not after the mount. After mounting, I am not allowed |> to chcon the mounted FS as it says that the Operation is |> not allowed. | |Can you confirm that if you umount /AV and then mount it with the |context= option that it really doesn't work for you? You do have to |umount it though if you previously mounted it w/o the context option to |make the option take affect. Yes, I can confirm that adding context= to the option line in /etc/fstab does not seem to do anything, i.e. the context does not change and remains fusefs_t. I tried several times, and even tried the fscontext= as well, neither seems to work. I was forced to reboot sometimes since I was not at times able to unmount the /AV filesystem, it sometimes reports that the /AV filesystem was 'busy'. This seems to happen if I mount/unmount several times then it says 'busy', preventing me from unmounting. Hmm. |I'm not sure why a context mount option wouldn't work for fuse - Eric? | |fuse itself won't let you chcon (setxattr) the files unless the |filesystem supports setxattr, which is why you get Operation not |supported there. | |> I even tried: setsebool -P samba_export_all_rw=1 and that |> does not work, either. |> |> If I setenforce 0, I can share the NTFS filesystem, but I |> really do not want to do this. Can someone please give me |> a workaround? | |You can certainly generate a local policy module that gives access to |fusefs_t, but it would be better if we could get the context mount |option to work. I will try anything you suggest. Let me know if you can resolve this issue, otherwise let me know (in detail) how to write a policy as a last resort? Thanks much! Dan -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
