FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-13-2007, 04:29 AM
Petteri Kautonen
 
Default SELinux prevents Samba from sharing NTFS mounts.

Hi,

I have F8 and every time to I try to access remotely or locally NTFS
filesystems that shared via Samba I get a warning (at the end of this
mesage) from SELinux troubleshooter and can't access the share.

I have tried to mount the filesystem with different context's but none
of them seem to do anything. The shares worked with previous version of
Fedora (F7). I have tried to mount the NTFS volume doing the following
to change it context:

* mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
context=system_u:system_r:smbd_t

* mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
context=system_ubject_r:smbd_t

* mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
fscontext=system_ubject_r:samba_share_t

and various other mount options such as defcontext= and changed the
context=, fscontext=, and defcontext= parameter values.

But the context stays the same (ls --lcontext):

drwxrwxrwx* 1 system_ubject_r:fusefs_t****** root root 12288
2007-12-12 21:13 petteri-c



So how I am going tho get SELinux to allow Samba to share mounted NTFS
filesystem? (Sorry about the newbie question and possibly bad
english).

SELinux is enforcing/targetted and all the booleans that refer to smbd
are checked allow from SELinux Administration.



Summary

*** SELinux is preventing samba (smbd) "read" to <Unknown>
(fusefs_t).



Detailed Description

*** SELinux denied samba access to <Unknown>. If you want to
share this

*** directory with samba it has to have a file context label of
samba_share_t.

*** If you did not intend to use <Unknown> as a samba repository
it could

*** indicate either a bug or it could signal a intrusion attempt.



Allowing Access

*** You can alter the file context by executing chcon -R -t
samba_share_t

*** <Unknown> You must also change the default file context files
on the system

*** in order to preserve them even on a full relabel.* "semanage
fcontext -a -t

*** samba_share_t <Unknown>"



*** The following command will allow this access:

*** chcon -R -t samba_share_t <Unknown>



Additional Information*******



Source Context*************** system_u:system_r:smbd_t

Target Context*************** system_ubject_r:fusefs_t

Target Objects*************** None [ dir ]

Affected RPM Packages********

Policy RPM******************* selinux-policy-3.0.8-64.fc8

Selinux Enabled************** True

Policy Type****************** targeted

MLS Enabled****************** True

Enforcing Mode*************** Enforcing

Plugin Name****************** plugins.samba_share

Host Name******************** petteri

Platform********************* Linux petteri 2.6.23.8-63.fc8 #1 SMP Wed
Nov 21

***************************** 18:51:08 EST 2007 i686 athlon

Alert Count****************** 126

First Seen******************* ke 14. marraskuuta 2007 15:57:05

Last Seen******************** to 13. joulukuuta 2007 07:13:17

Local ID********************* 2f2fd1b5-757e-4b37-a44f-eb76e86a81c2

Line Numbers*****************



Raw Audit Messages***********



avc: denied { read } for comm=smbd dev=sda1 name=/ pid=21782

scontext=system_u:system_r:smbd_t:s0 tclass=dir

tcontext=system_ubject_r:fusefs_t:s0









--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-13-2007, 12:20 PM
Johnny Tan
 
Default SELinux prevents Samba from sharing NTFS mounts.

Petteri Kautonen wrote:

Hi,
I have F8 and every time to I try to access remotely or locally NTFS
filesystems that shared via Samba I get a warning (at the end of this
mesage) from SELinux troubleshooter and can't access the share.
I have tried to mount the filesystem with different context's but none
of them seem to do anything. The shares worked with previous version of
Fedora (F7). I have tried to mount the NTFS volume doing the following
to change it context:
* mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
context=system_u:system_r:smbd_t
* mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
context=system_ubject_r:smbd_t
* mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
fscontext=system_ubject_r:samba_share_t
and various other mount options such as defcontext= and changed the
context=, fscontext=, and defcontext= parameter values.

But the context stays the same (ls --lcontext):
drwxrwxrwx 1 _system_ubject_r:fusefs_t_ root root 12288
2007-12-12 21:13 petteri-c


I think this might be similar to my httpd/nfs question a
couple days ago.


Do you have other mounts of /dev/sda1 besides the
/mnt/petteri-c?


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-13-2007, 01:16 PM
Petteri Kautonen
 
Default SELinux prevents Samba from sharing NTFS mounts.

Johnny Tan wrote:

I think this might be similar to my httpd/nfs question a couple days ago.

Do you have other mounts of /dev/sda1 besides the /mnt/petteri-c?

johnn

It has been mounted only to /mnt/petteri-c.
I joined the list a few days ago, so I haven't been able to see the
whole conversation. Perhaps I should check the archives.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-13-2007, 08:13 PM
Daniel J Walsh
 
Default SELinux prevents Samba from sharing NTFS mounts.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Petteri Kautonen wrote:
> Hi,
> I have F8 and every time to I try to access remotely or locally NTFS filesystems
> that shared via Samba I get a warning (at the end of this mesage) from SELinux
> troubleshooter and can't access the share.
> I have tried to mount the filesystem with different context's but none of them
> seem to do anything. The shares worked with previous version of Fedora (F7). I
> have tried to mount the NTFS volume doing the following to change it context:
> * mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o context=system_u:system_r:smbd_t
> * mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o context=system_ubject_r:smbd_t
> * mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
> fscontext=system_ubject_r:samba_share_t
> and various other mount options such as defcontext= and changed the context=,
> fscontext=, and defcontext= parameter values.
> But the context stays the same (ls --lcontext):
> drwxrwxrwx 1 _system_ubject_r:fusefs_t_ root root 12288 2007-12-12
> 21:13 petteri-c
>
> So how I am going tho get SELinux to allow Samba to share mounted NTFS
> filesystem? (Sorry about the newbie question and possibly bad english).
> SELinux is enforcing/targetted and all the booleans that refer to smbd are
> checked allow from SELinux Administration.
>
> /Summary
> SELinux is preventing samba (smbd) "read" to <Unknown> (fusefs_t).
>
> Detailed Description
> SELinux denied samba access to <Unknown>. If you want to share this
> directory with samba it has to have a file context label of samba_share_t.
> If you did not intend to use <Unknown> as a samba repository it could
> indicate either a bug or it could signal a intrusion attempt.
>
> Allowing Access
> You can alter the file context by executing chcon -R -t samba_share_t
> <Unknown> You must also change the default file context files on the system
> in order to preserve them even on a full relabel. "semanage fcontext -a -t
> samba_share_t <Unknown>"
>
> The following command will allow this access:
> chcon -R -t samba_share_t <Unknown>
>
> Additional Information
>
> Source Context system_u:system_r:smbd_t
> Target Context system_ubject_r:fusefs_t
> Target Objects None [ dir ]
> Affected RPM Packages
> Policy RPM selinux-policy-3.0.8-64.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.samba_share
> Host Name petteri
> Platform Linux petteri 2.6.23.8-63.fc8 #1 SMP Wed Nov 21
> 18:51:08 EST 2007 i686 athlon
> Alert Count 126
> First Seen ke 14. marraskuuta 2007 15:57:05
> Last Seen to 13. joulukuuta 2007 07:13:17
> Local ID 2f2fd1b5-757e-4b37-a44f-eb76e86a81c2
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { read } for comm=smbd dev=sda1 name=/ pid=21782
> scontext=system_u:system_r:smbd_t:s0 tclass=dir
> tcontext=system_ubject_r:fusefs_t:s0
>
>
> /
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You should mount them as samba_share_t

mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
context=system_u:system_r:samba_share_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHYaCVrlYvE4MpobMRAlNtAJ9UfV6sOAhND/uks/42NURRaAvoYgCgkKln
J1bCcg2QLpKUv+Ao1dxq+eU=
=dbrj
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-14-2007, 05:06 AM
Petteri Kautonen
 
Default SELinux prevents Samba from sharing NTFS mounts.

Daniel J Walsh wrote:

You should mount them as samba_share_t


Well, that much I know, but any of the commands don't seem to work...

mount -t ntfs-3g /dev/sda1 /mnt/petteri-c -o
context=system_u:system_r:samba_share_t

..including this one. It mounts the partition but the context according
to 'ls --lcontext' still is system_ubject_r:fusefs_t.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-14-2008, 08:49 PM
voegi
 
Default SELinux prevents Samba from sharing NTFS mounts.

Petteri Kautonen wrote:
>
> Daniel J Walsh wrote:
> It mounts the partition but the context according
> to 'ls --lcontext' still is system_ubject_r:fusefs_t.
>


I have the same problem. How did you solve this?
Thank you!
--
View this message in context: http://www.nabble.com/SELinux-prevents-Samba-from-sharing-NTFS-mounts.-tp14310313p16677407.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-15-2008, 09:06 AM
Petteri Kautonen
 
Default SELinux prevents Samba from sharing NTFS mounts.

I found a solution. I don't remember who suggested it to me though but
it goes this way:

As root:

grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
semodule -i mysamba.pp

*



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org