-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel B. Thurman wrote: > Stephen Smalley wrote: > |On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote: > |> Daniel B. Thurman wrote: > |> |Stephen Smalley > |> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote: > |> ||> Stephen Smalley wrote: > |> ||> >> Daniel B. Thurman wrote: > |> ||> >> I am not sure what is going on. I am unable to get > |> ||> >> samba shares to work for an NTFS filesystem. I do > |> ||> >> have several shares working for ext3 filesystems. > |> ||> >> > |> ||> >> Here is what I did: > |> ||> >> > |> ||> >> 1) Create an empty directory: /AV > |> ||> >> 2) chcon -t samba_share_t /AV > |> ||> >> 3) chmod 775 !$ > |> ||> >> 4) chgrp avusers !$ > |> ||> >> 5) Add to fstab > |> ||> >> /dev/sda1 /AV ntfs defaults 1 2 > |> | [snipped!] > |> || > |> ||It is just another mount option, so you can just do something like: > |> ||/dev/sda1 /AV ntfs > |> |defaults,context=system_u:object_r:samba_share_t 1 2 > |> | > |> |Yes, I thought so. I tried that and the context does not > |> |change. Any ideas? > |> > |> Mounting an NTFS filesystem even with context options, > |> the context always remains as fusefs_t. I am allowed > |> to change the context on the directory before the mount, > |> but not after the mount. After mounting, I am not allowed > |> to chcon the mounted FS as it says that the Operation is > |> not allowed. > | > |Can you confirm that if you umount /AV and then mount it with the > |context= option that it really doesn't work for you? You do have to > |umount it though if you previously mounted it w/o the context option to > |make the option take affect. > > Yes, I can confirm that adding context= to the option line > in /etc/fstab does not seem to do anything, i.e. the context > does not change and remains fusefs_t. I tried several times, > and even tried the fscontext= as well, neither seems to work. > > I was forced to reboot sometimes since I was not at times > able to unmount the /AV filesystem, it sometimes reports > that the /AV filesystem was 'busy'. This seems to happen > if I mount/unmount several times then it says 'busy', > preventing me from unmounting. Hmm. > > |I'm not sure why a context mount option wouldn't work for fuse - Eric? > | > |fuse itself won't let you chcon (setxattr) the files unless the > |filesystem supports setxattr, which is why you get Operation not > |supported there. > | > |> I even tried: setsebool -P samba_export_all_rw=1 and that > |> does not work, either. > |> > |> If I setenforce 0, I can share the NTFS filesystem, but I > |> really do not want to do this. Can someone please give me > |> a workaround? > | > |You can certainly generate a local policy module that gives access to > |fusefs_t, but it would be better if we could get the context mount > |option to work. > > I will try anything you suggest. Let me know if you can > resolve this issue, otherwise let me know (in detail) how > to write a policy as a last resort? > > Thanks much! > Dan This looks like a bug. If you are using fedora 9 policy it has a boolean samba_share_fusefs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgp4e4ACgkQrlYvE4MpobN14ACg1mVCa9sxAoDThvTwSMW5v+2C etcAoIVXMYbp+hBFVWzjDjVP2VYh7Iaf =VZTf -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
