Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Can't export samba share (http://www.linux-archive.org/fedora-selinux-support/128754-cant-export-samba-share.html)

Steve Blackwell 07-21-2008 02:50 PM

Can't export samba share
 
I have a dual boot F8/XP machine and I want to export, via samba, the
NTFS partition so that I can use it to back up my wife's Vista machine.
It seems that selinux is preventing this from happening. Here is the
summary message from setroubleshoot:

SELinux is preventing the samba daemon from serving r/o local files to
remote clients.

and the Allowing Access section says:

If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The
following command will allow this access:setsebool -P
samba_export_all_ro=1

There seems to be 2 problems here; 1) The filesystem that I'm trying to
export is read-write not read-only and 2) I have already set
samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
even set samba_run_unconfined=1 and I still get the same messages.

Here is the filesystem I'm trying to export:

# cat /etc/fstab | grep ntfs
/dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0

# ls -lZ /mnt
drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive

Here is the /etc/samba/smb.conf stanza:
[Kellie]
comment = Winblows backup
path = /mnt/c_drive
writable = yes
browseable = yes
valid users = Kellie

User Kellie can see the Kellie share from her Vista computer but
whenever she tries to use it, I get an AVC.

# rpm -qa | grep selinux
libselinux-python-2.0.43-1.fc8
selinux-policy-devel-3.0.8-109.fc8
libselinux-devel-2.0.43-1.fc8
selinux-policy-3.0.8-109.fc8
libselinux-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-109.fc8

# uname -sr
Linux 2.6.25.10-47.fc8

I suppose I could go back to permissive mode but I'd like to get this
to work.

Any suggestion?
Thanks,
Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Murray McAllister 07-21-2008 10:39 PM

Can't export samba share
 
Steve Blackwell wrote:

I have a dual boot F8/XP machine and I want to export, via samba, the
NTFS partition so that I can use it to back up my wife's Vista machine.
It seems that selinux is preventing this from happening. Here is the
summary message from setroubleshoot:

SELinux is preventing the samba daemon from serving r/o local files to
remote clients.


and the Allowing Access section says:

If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The
following command will allow this access:setsebool -P
samba_export_all_ro=1

There seems to be 2 problems here; 1) The filesystem that I'm trying to
export is read-write not read-only and 2) I have already set
samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
even set samba_run_unconfined=1 and I still get the same messages.

Here is the filesystem I'm trying to export:

# cat /etc/fstab | grep ntfs
/dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0

# ls -lZ /mnt
drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive

Here is the /etc/samba/smb.conf stanza:
[Kellie]
comment = Winblows backup
path = /mnt/c_drive
writable = yes
browseable = yes
valid users = Kellie

User Kellie can see the Kellie share from her Vista computer but
whenever she tries to use it, I get an AVC.

# rpm -qa | grep selinux
libselinux-python-2.0.43-1.fc8
selinux-policy-devel-3.0.8-109.fc8
libselinux-devel-2.0.43-1.fc8
selinux-policy-3.0.8-109.fc8
libselinux-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-109.fc8

# uname -sr
Linux 2.6.25.10-47.fc8

I suppose I could go back to permissive mode but I'd like to get this
to work.

Any suggestion?
Thanks,
Steve


If you're still having problems,
<http://danwalsh.livejournal.com/14195.html> on "Confining Samba with
SELinux" might help.


Cheers.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Steve 07-22-2008 02:12 AM

Can't export samba share
 
---- Murray McAllister <mmcallis@redhat.com> wrote:
> Steve Blackwell wrote:
> > I have a dual boot F8/XP machine and I want to export, via samba, the
> > NTFS partition so that I can use it to back up my wife's Vista machine.
> > It seems that selinux is preventing this from happening. Here is the
> > summary message from setroubleshoot:
> >
> > SELinux is preventing the samba daemon from serving r/o local files to
> > remote clients.

...

>
> If you're still having problems,
> <http://danwalsh.livejournal.com/14195.html> on "Confining Samba with
> SELinux" might help.
>
Thanks for the link but I didn't learn anything new from that.

Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Steve Blackwell 07-25-2008 11:27 PM

Can't export samba share
 
I've been out of town for a few days but there were no new postings
while I was away and I still don't have a solution for this.

Steve Blackwell wrote:
> I have a dual boot F8/XP machine and I want to export, via samba, the
> NTFS partition so that I can use it to back up my wife's Vista
> machine. It seems that selinux is preventing this from happening.
> Here is the summary message from setroubleshoot:
>
> SELinux is preventing the samba daemon from serving r/o local files
> to remote clients.
>
> and the Allowing Access section says:
>
> If you want to export file systems using samba you need to turn on
> the samba_export_all_ro boolean: "setsebool -P
> samba_export_all_ro=1". The following command will allow this
> access:setsebool -P samba_export_all_ro=1
>
> There seems to be 2 problems here; 1) The filesystem that I'm trying
> to export is read-write not read-only and 2) I have already set
> samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
> even set samba_run_unconfined=1 and I still get the same messages.
>
> Here is the filesystem I'm trying to export:
>
> # cat /etc/fstab | grep ntfs
> /dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0
>
> # ls -lZ /mnt
> drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive
>
> Here is the /etc/samba/smb.conf stanza:
> [Kellie]
> comment = Winblows backup
> path = /mnt/c_drive
> writable = yes
> browseable = yes
> valid users = Kellie
>
> User Kellie can see the Kellie share from her Vista computer but
> whenever she tries to use it, I get an AVC.
>
> # rpm -qa | grep selinux
> libselinux-python-2.0.43-1.fc8
> selinux-policy-devel-3.0.8-109.fc8
> libselinux-devel-2.0.43-1.fc8
> selinux-policy-3.0.8-109.fc8
> libselinux-2.0.43-1.fc8
> selinux-policy-targeted-3.0.8-109.fc8
>
> # uname -sr
> Linux 2.6.25.10-47.fc8
>
> I suppose I could go back to permissive mode but I'd like to get this
> to work.
>
> Any suggestion?
> Thanks,
> Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Steve Blackwell 07-26-2008 06:25 PM

Can't export samba share
 
> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod@cfl.rr.com>
> wrote:
>> I've been out of town for a few days but there were no new postings
>> while I was away and I still don't have a solution for this.
>>
>
> Might I suggest posting the AVC's so that everyone can see what is
> going on.

I'm going to give it one more day and after that I'm going to have to
turn selinux off.

This is from audit.log:

type=AVC msg=audit(1217030414.315:34): avc: denied { read } for
pid=7099 comm="smbd" name="/" dev=sdb1 ino=5
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir

type=SYSCALL
msg=audit(1217030414.315:34): arch=40000003 syscall=5 success=no
exit=-13 a0=b926ff00 a1=98800 a2=379d9c a3=b9293478 items=0 ppid=2649
pid=7099 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1217030414.317:35): avc: denied { read } for
pid=7099 comm="smbd" name="/" dev=sdb1 ino=5
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir

Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"max bianco" 07-27-2008 07:38 PM

Can't export samba share
 
On Sat, Jul 26, 2008 at 2:25 PM, Steve Blackwell <zephod@cfl.rr.com> wrote:
>> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod@cfl.rr.com>
>> wrote:
>>> I've been out of town for a few days but there were no new postings
>>> while I was away and I still don't have a solution for this.
>>>
>>
>> Might I suggest posting the AVC's so that everyone can see what is
>> going on.
>
> I'm going to give it one more day and after that I'm going to have to
> turn selinux off.
>
This seems a bit extreme. Have you tried looking at the tools
available to help you?
audit2why and audit2allow
I have used these in the past to help me resolve my issues. It would
help if you could say you had tried these, if you could at least show
the output they provide you. I will help you as much as I can because
I am interested in learning more, getting others to help is usually
easier if they can see you are trying to resolve it yourself rather
than relying on them to just provide an easy answer which incidentally
will teach you nothing.


> This is from audit.log:
>
> type=AVC msg=audit(1217030414.315:34): avc: denied { read } for
> pid=7099 comm="smbd" name="/" dev=sdb1 ino=5
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
>
This says that smbd is being denied the read permission for files of
the type fusefs
the _t is a convention that says "This is a type"

So you need a rule that allows smbd_t to read fusefs_t.
So try something like this:

ausearch -a 34 | audit2allow

what this will do is search the audit log for all the AVC's related to
this particular instance of smbd attempting its read access and feed
them to audit2allow. Audit2allow will generate some rule(s) based on
these AVC's. It doesn't mean you should blindly implement them but if
you can show the output , it can help in the process of fixing the
denial, if nothing else it will show the more experienced hands that
you have used the tools provided to at least try. You could substitute
audit2why in place of audit2allow and it will attempt to explain what
caused the denial. Can you post this to the list?

-Max


--
We start decomposing the day we are born

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 07-30-2008 06:47 PM

Can't export samba share
 
max bianco wrote:
> On Sat, Jul 26, 2008 at 2:25 PM, Steve Blackwell <zephod@cfl.rr.com> wrote:
>>> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod@cfl.rr.com>
>>> wrote:
>>>> I've been out of town for a few days but there were no new postings
>>>> while I was away and I still don't have a solution for this.
>>>>
>>> Might I suggest posting the AVC's so that everyone can see what is
>>> going on.
>> I'm going to give it one more day and after that I'm going to have to
>> turn selinux off.
>>
> This seems a bit extreme. Have you tried looking at the tools
> available to help you?
> audit2why and audit2allow
> I have used these in the past to help me resolve my issues. It would
> help if you could say you had tried these, if you could at least show
> the output they provide you. I will help you as much as I can because
> I am interested in learning more, getting others to help is usually
> easier if they can see you are trying to resolve it yourself rather
> than relying on them to just provide an easy answer which incidentally
> will teach you nothing.
>
>
>> This is from audit.log:
>>
>> type=AVC msg=audit(1217030414.315:34): avc: denied { read } for
>> pid=7099 comm="smbd" name="/" dev=sdb1 ino=5
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
>>
> This says that smbd is being denied the read permission for files of
> the type fusefs
> the _t is a convention that says "This is a type"
>
> So you need a rule that allows smbd_t to read fusefs_t.
> So try something like this:
>
> ausearch -a 34 | audit2allow
>
> what this will do is search the audit log for all the AVC's related to
> this particular instance of smbd attempting its read access and feed
> them to audit2allow. Audit2allow will generate some rule(s) based on
> these AVC's. It doesn't mean you should blindly implement them but if
> you can show the output , it can help in the process of fixing the
> denial, if nothing else it will show the more experienced hands that
> you have used the tools provided to at least try. You could substitute
> audit2why in place of audit2allow and it will attempt to explain what
> caused the denial. Can you post this to the list?
>
> -Max
>
>
Sorry I was away at OLS last week and am just getting back though the
emails.

What OS are you running?

samba_share_fusefs is a boolean in Fedora 9 and Rawhide that allows the
sharing of fusefs file systems in samba with selinux.

setsebool -P samba_share_fusefs 1


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Steve Blackwell 08-02-2008 05:58 PM

Can't export samba share
 
> Sorry I was away at OLS last week and am just getting back though the
> emails.
>
> What OS are you running?
>
> samba_share_fusefs is a boolean in Fedora 9 and Rawhide that allows
> the
> sharing of fusefs file systems in samba with selinux.
>
> setsebool -P samba_share_fusefs 1


Dan,

I just noticed your e-mail from Wednesday. Sorry for the delay in
answering.

I'm running F8.

Steve

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 07:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.