Can't export samba share
I have a dual boot F8/XP machine and I want to export, via samba, the
NTFS partition so that I can use it to back up my wife's Vista machine. It seems that selinux is preventing this from happening. Here is the summary message from setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote clients. and the Allowing Access section says: If you want to export file systems using samba you need to turn on the samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The following command will allow this access:setsebool -P samba_export_all_ro=1 There seems to be 2 problems here; 1) The filesystem that I'm trying to export is read-write not read-only and 2) I have already set samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I even set samba_run_unconfined=1 and I still get the same messages. Here is the filesystem I'm trying to export: # cat /etc/fstab | grep ntfs /dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0 # ls -lZ /mnt drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive Here is the /etc/samba/smb.conf stanza: [Kellie] comment = Winblows backup path = /mnt/c_drive writable = yes browseable = yes valid users = Kellie User Kellie can see the Kellie share from her Vista computer but whenever she tries to use it, I get an AVC. # rpm -qa | grep selinux libselinux-python-2.0.43-1.fc8 selinux-policy-devel-3.0.8-109.fc8 libselinux-devel-2.0.43-1.fc8 selinux-policy-3.0.8-109.fc8 libselinux-2.0.43-1.fc8 selinux-policy-targeted-3.0.8-109.fc8 # uname -sr Linux 2.6.25.10-47.fc8 I suppose I could go back to permissive mode but I'd like to get this to work. Any suggestion? Thanks, Steve -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
Can't export samba share
Steve Blackwell wrote:
I have a dual boot F8/XP machine and I want to export, via samba, the NTFS partition so that I can use it to back up my wife's Vista machine. It seems that selinux is preventing this from happening. Here is the summary message from setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote clients. and the Allowing Access section says: If you want to export file systems using samba you need to turn on the samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The following command will allow this access:setsebool -P samba_export_all_ro=1 There seems to be 2 problems here; 1) The filesystem that I'm trying to export is read-write not read-only and 2) I have already set samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I even set samba_run_unconfined=1 and I still get the same messages. Here is the filesystem I'm trying to export: # cat /etc/fstab | grep ntfs /dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0 # ls -lZ /mnt drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive Here is the /etc/samba/smb.conf stanza: [Kellie] comment = Winblows backup path = /mnt/c_drive writable = yes browseable = yes valid users = Kellie User Kellie can see the Kellie share from her Vista computer but whenever she tries to use it, I get an AVC. # rpm -qa | grep selinux libselinux-python-2.0.43-1.fc8 selinux-policy-devel-3.0.8-109.fc8 libselinux-devel-2.0.43-1.fc8 selinux-policy-3.0.8-109.fc8 libselinux-2.0.43-1.fc8 selinux-policy-targeted-3.0.8-109.fc8 # uname -sr Linux 2.6.25.10-47.fc8 I suppose I could go back to permissive mode but I'd like to get this to work. Any suggestion? Thanks, Steve If you're still having problems, <http://danwalsh.livejournal.com/14195.html> on "Confining Samba with SELinux" might help. Cheers. -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
Can't export samba share
---- Murray McAllister <mmcallis@redhat.com> wrote:
> Steve Blackwell wrote: > > I have a dual boot F8/XP machine and I want to export, via samba, the > > NTFS partition so that I can use it to back up my wife's Vista machine. > > It seems that selinux is preventing this from happening. Here is the > > summary message from setroubleshoot: > > > > SELinux is preventing the samba daemon from serving r/o local files to > > remote clients. ... > > If you're still having problems, > <http://danwalsh.livejournal.com/14195.html> on "Confining Samba with > SELinux" might help. > Thanks for the link but I didn't learn anything new from that. Steve -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
Can't export samba share
I've been out of town for a few days but there were no new postings
while I was away and I still don't have a solution for this. Steve Blackwell wrote: > I have a dual boot F8/XP machine and I want to export, via samba, the > NTFS partition so that I can use it to back up my wife's Vista > machine. It seems that selinux is preventing this from happening. > Here is the summary message from setroubleshoot: > > SELinux is preventing the samba daemon from serving r/o local files > to remote clients. > > and the Allowing Access section says: > > If you want to export file systems using samba you need to turn on > the samba_export_all_ro boolean: "setsebool -P > samba_export_all_ro=1". The following command will allow this > access:setsebool -P samba_export_all_ro=1 > > There seems to be 2 problems here; 1) The filesystem that I'm trying > to export is read-write not read-only and 2) I have already set > samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I > even set samba_run_unconfined=1 and I still get the same messages. > > Here is the filesystem I'm trying to export: > > # cat /etc/fstab | grep ntfs > /dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0 > > # ls -lZ /mnt > drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive > > Here is the /etc/samba/smb.conf stanza: > [Kellie] > comment = Winblows backup > path = /mnt/c_drive > writable = yes > browseable = yes > valid users = Kellie > > User Kellie can see the Kellie share from her Vista computer but > whenever she tries to use it, I get an AVC. > > # rpm -qa | grep selinux > libselinux-python-2.0.43-1.fc8 > selinux-policy-devel-3.0.8-109.fc8 > libselinux-devel-2.0.43-1.fc8 > selinux-policy-3.0.8-109.fc8 > libselinux-2.0.43-1.fc8 > selinux-policy-targeted-3.0.8-109.fc8 > > # uname -sr > Linux 2.6.25.10-47.fc8 > > I suppose I could go back to permissive mode but I'd like to get this > to work. > > Any suggestion? > Thanks, > Steve -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
Can't export samba share
> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod@cfl.rr.com>
> wrote: >> I've been out of town for a few days but there were no new postings >> while I was away and I still don't have a solution for this. >> > > Might I suggest posting the AVC's so that everyone can see what is > going on. I'm going to give it one more day and after that I'm going to have to turn selinux off. This is from audit.log: type=AVC msg=audit(1217030414.315:34): avc: denied { read } for pid=7099 comm="smbd" name="/" dev=sdb1 ino=5 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir type=SYSCALL msg=audit(1217030414.315:34): arch=40000003 syscall=5 success=no exit=-13 a0=b926ff00 a1=98800 a2=379d9c a3=b9293478 items=0 ppid=2649 pid=7099 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1217030414.317:35): avc: denied { read } for pid=7099 comm="smbd" name="/" dev=sdb1 ino=5 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir Steve -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
Can't export samba share
On Sat, Jul 26, 2008 at 2:25 PM, Steve Blackwell <zephod@cfl.rr.com> wrote:
>> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod@cfl.rr.com> >> wrote: >>> I've been out of town for a few days but there were no new postings >>> while I was away and I still don't have a solution for this. >>> >> >> Might I suggest posting the AVC's so that everyone can see what is >> going on. > > I'm going to give it one more day and after that I'm going to have to > turn selinux off. > This seems a bit extreme. Have you tried looking at the tools available to help you? audit2why and audit2allow I have used these in the past to help me resolve my issues. It would help if you could say you had tried these, if you could at least show the output they provide you. I will help you as much as I can because I am interested in learning more, getting others to help is usually easier if they can see you are trying to resolve it yourself rather than relying on them to just provide an easy answer which incidentally will teach you nothing. > This is from audit.log: > > type=AVC msg=audit(1217030414.315:34): avc: denied { read } for > pid=7099 comm="smbd" name="/" dev=sdb1 ino=5 > scontext=system_u:system_r:smbd_t:s0 > tcontext=system_u:object_r:fusefs_t:s0 tclass=dir > This says that smbd is being denied the read permission for files of the type fusefs the _t is a convention that says "This is a type" So you need a rule that allows smbd_t to read fusefs_t. So try something like this: ausearch -a 34 | audit2allow what this will do is search the audit log for all the AVC's related to this particular instance of smbd attempting its read access and feed them to audit2allow. Audit2allow will generate some rule(s) based on these AVC's. It doesn't mean you should blindly implement them but if you can show the output , it can help in the process of fixing the denial, if nothing else it will show the more experienced hands that you have used the tools provided to at least try. You could substitute audit2why in place of audit2allow and it will attempt to explain what caused the denial. Can you post this to the list? -Max -- We start decomposing the day we are born -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
Can't export samba share
max bianco wrote:
> On Sat, Jul 26, 2008 at 2:25 PM, Steve Blackwell <zephod@cfl.rr.com> wrote: >>> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod@cfl.rr.com> >>> wrote: >>>> I've been out of town for a few days but there were no new postings >>>> while I was away and I still don't have a solution for this. >>>> >>> Might I suggest posting the AVC's so that everyone can see what is >>> going on. >> I'm going to give it one more day and after that I'm going to have to >> turn selinux off. >> > This seems a bit extreme. Have you tried looking at the tools > available to help you? > audit2why and audit2allow > I have used these in the past to help me resolve my issues. It would > help if you could say you had tried these, if you could at least show > the output they provide you. I will help you as much as I can because > I am interested in learning more, getting others to help is usually > easier if they can see you are trying to resolve it yourself rather > than relying on them to just provide an easy answer which incidentally > will teach you nothing. > > >> This is from audit.log: >> >> type=AVC msg=audit(1217030414.315:34): avc: denied { read } for >> pid=7099 comm="smbd" name="/" dev=sdb1 ino=5 >> scontext=system_u:system_r:smbd_t:s0 >> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir >> > This says that smbd is being denied the read permission for files of > the type fusefs > the _t is a convention that says "This is a type" > > So you need a rule that allows smbd_t to read fusefs_t. > So try something like this: > > ausearch -a 34 | audit2allow > > what this will do is search the audit log for all the AVC's related to > this particular instance of smbd attempting its read access and feed > them to audit2allow. Audit2allow will generate some rule(s) based on > these AVC's. It doesn't mean you should blindly implement them but if > you can show the output , it can help in the process of fixing the > denial, if nothing else it will show the more experienced hands that > you have used the tools provided to at least try. You could substitute > audit2why in place of audit2allow and it will attempt to explain what > caused the denial. Can you post this to the list? > > -Max > > Sorry I was away at OLS last week and am just getting back though the emails. What OS are you running? samba_share_fusefs is a boolean in Fedora 9 and Rawhide that allows the sharing of fusefs file systems in samba with selinux. setsebool -P samba_share_fusefs 1 -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
Can't export samba share
> Sorry I was away at OLS last week and am just getting back though the
> emails. > > What OS are you running? > > samba_share_fusefs is a boolean in Fedora 9 and Rawhide that allows > the > sharing of fusefs file systems in samba with selinux. > > setsebool -P samba_share_fusefs 1 Dan, I just noticed your e-mail from Wednesday. Sorry for the delay in answering. I'm running F8. Steve -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| All times are GMT. The time now is 06:35 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.