On Wed, 2008-05-14 at 09:23 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Daniel B. Thurman wrote: > | Stephen Smalley > | |Daniel B. Thurman wrote: > | |> |You can certainly generate a local policy module that gives > | |> |access to fusefs_t, but it would be better if we could get > | |> |the context mount option to work. > | |> > | |> I will try anything you suggest. Let me know if you can > | |> resolve this issue, otherwise let me know (in detail) how > | |> to write a policy as a last resort? > | | > | |To generate local policy for this issue, you'd do something like this: > | | > | |$ su - > | |# ausearch -m AVC | grep fuse | audit2allow -M myfuse > | |# semodule -i myfuse.pp > | | > | |Then the fuse-related denials should be allowed. > | > | Uh, almost. It still will not allow me to chmod or chgrp > | the mounted filesystem which means that I cannot write to > | the shared NTFS filesystem without assigning the proper > | permissions. I have set samba properties to allow writes > | but apparently this problem resides with fuse again. Grr. > | > | What can I do to allow samba shared writes? > | > | Thanks! > | Dan > Look for additional AVC's with ausearch > > You can run the above command another time. > > You can put the machine into permissive mode and gather all of the AVC > messages > > setenforce 0 > Run your test > ausearch -m AVC | grep fuse | audit2allow -M myfuse > semodule -i myfuse.pp > setenforce 1 Is he really encountering permission denials from SELinux, or are these denials from fuse? fuse does have special restrictions imposed on it that wouldn't apply to the native ntfs support. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
