Daniel J Walsh |Daniel B. Thurman wrote: |> Stephen Smalley wrote: |> |On Tue, 2008-05-13 at 10:27 -0700, Daniel B. Thurman wrote: |> |> Daniel B. Thurman wrote: |> |> |Stephen Smalley |> |> ||On Tue, 2008-05-13 at 08:12 -0700, Daniel B. Thurman wrote: |> |> ||> Stephen Smalley wrote: |> |> ||> >> Daniel B. Thurman wrote: |> |> ||> >> I am not sure what is going on. I am unable to get |> |> ||> >> samba shares to work for an NTFS filesystem. I do |> |> ||> >> have several shares working for ext3 filesystems. |> |> ||> >> |> |> ||> >> Here is what I did: |> |> ||> >> |> |> ||> >> 1) Create an empty directory: /AV |> |> ||> >> 2) chcon -t samba_share_t /AV |> |> ||> >> 3) chmod 775 !$ |> |> ||> >> 4) chgrp avusers !$ |> |> ||> >> 5) Add to fstab |> |> ||> >> /dev/sda1 /AV ntfs defaults 1 2 |> |> | [snipped!] |> |> || |> |> ||It is just another mount option, so you can just do |something like: |> |> ||/dev/sda1 /AV ntfs |> |> |defaults,context=system_u:object_r:samba_share_t 1 2 |> |> | |> |> |Yes, I thought so. I tried that and the context does not |> |> |change. Any ideas? |> |> |> |> Mounting an NTFS filesystem even with context options, |> |> the context always remains as fusefs_t. I am allowed |> |> to change the context on the directory before the mount, |> |> but not after the mount. After mounting, I am not allowed |> |> to chcon the mounted FS as it says that the Operation is |> |> not allowed. |> | |> |Can you confirm that if you umount /AV and then mount it with the |> |context= option that it really doesn't work for you? You do have to |> |umount it though if you previously mounted it w/o the |context option to |> |make the option take affect. |> |> Yes, I can confirm that adding context= to the option line |> in /etc/fstab does not seem to do anything, i.e. the context |> does not change and remains fusefs_t. I tried several times, |> and even tried the fscontext= as well, neither seems to work. |> |> I was forced to reboot sometimes since I was not at times |> able to unmount the /AV filesystem, it sometimes reports |> that the /AV filesystem was 'busy'. This seems to happen |> if I mount/unmount several times then it says 'busy', |> preventing me from unmounting. Hmm. |> |> |I'm not sure why a context mount option wouldn't work for |fuse - Eric? |> | |> |fuse itself won't let you chcon (setxattr) the files unless the |> |filesystem supports setxattr, which is why you get Operation not |> |supported there. |> | |> |> I even tried: setsebool -P samba_export_all_rw=1 and that |> |> does not work, either. |> |> |> |> If I setenforce 0, I can share the NTFS filesystem, but I |> |> really do not want to do this. Can someone please give me |> |> a workaround? |> | |> |You can certainly generate a local policy module that gives |access to |> |fusefs_t, but it would be better if we could get the context mount |> |option to work. |> |> I will try anything you suggest. Let me know if you can |> resolve this issue, otherwise let me know (in detail) how |> to write a policy as a last resort? |> |> Thanks much! |> Dan |This looks like a bug. Seems so. Also, I tried disabling the fuse service and rebooted and for some reason, the fusefs still runs? It still mounts /media files even when this service is so-called disabled? I went back to look to see if the service was running (it wasn't) and even tried ps -ef| grep fuse (finding no match), so why is fuse filesystem still running? Is that a major bug or is it that the fuse service has no relation to the fusefs? Well, can I have a policy work around or will it fail anyway due to fuse? BTW: I am running Fedora F8. Thanks! Dan -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
