max bianco wrote:
> On Sat, Jul 26, 2008 at 2:25 PM, Steve Blackwell <zephod@xxxxxxxxxx> wrote:
>>> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod@xxxxxxxxxx>
>>> wrote:
>>>> I've been out of town for a few days but there were no new postings
>>>> while I was away and I still don't have a solution for this.
>>>>
>>> Might I suggest posting the AVC's so that everyone can see what is
>>> going on.\
>> I'm going to give it one more day and after that I'm going to have to
>> turn selinux off.
>>
> This seems a bit extreme. Have you tried looking at the tools
> available to help you?
> audit2why and audit2allow
> I have used these in the past to help me resolve my issues. It would
> help if you could say you had tried these, if you could at least show
> the output they provide you. I will help you as much as I can because
> I am interested in learning more, getting others to help is usually
> easier if they can see you are trying to resolve it yourself rather
> than relying on them to just provide an easy answer which incidentally
> will teach you nothing.
>
>
>> This is from audit.log:
>>
>> type=AVC msg=audit(1217030414.315:34): avc: denied { read } for
>> pid=7099 comm="smbd" name="/" dev=sdb1 ino=5
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
>>
> This says that smbd is being denied the read permission for files of
> the type fusefs
> the _t is a convention that says "This is a type"
>
> So you need a rule that allows smbd_t to read fusefs_t.
> So try something like this:
>
> ausearch -a 34 | audit2allow
>
> what this will do is search the audit log for all the AVC's related to
> this particular instance of smbd attempting its read access and feed
> them to audit2allow. Audit2allow will generate some rule(s) based on
> these AVC's. It doesn't mean you should blindly implement them but if
> you can show the output , it can help in the process of fixing the
> denial, if nothing else it will show the more experienced hands that
> you have used the tools provided to at least try. You could substitute
> audit2why in place of audit2allow and it will attempt to explain what
> caused the denial. Can you post this to the list?
>
> -Max
>
>
Sorry I was away at OLS last week and am just getting back though the
emails.
What OS are you running?
samba_share_fusefs is a boolean in Fedora 9 and Rawhide that allows the
sharing of fusefs file systems in samba with selinux.
setsebool -P samba_share_fusefs 1
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
