McGuffey, David C. wrote:
Have had an interesting time getting samba to serve up files on F7.
After doing a lot of rftm and tinkering, it will share test files in
/mnt/winxp_data for both localhost and remote windowz boxes on the LAN.
However when I remove the test files (created with 'touch') and mount an
ntfs partition, I get an selinux error. From the error I deduce that the
selinux type for winxp_data is fusefs_t, and it needs to be
samba_share_t.
I expect it will work when you find the magic incantation of the mount
command. I think you need to override the context.
This is how I mounted an ISO so I could serve it from Apache:
/var/local/mirrors/linux/ScientificLinux/5.0/SL-5.0-050407-i386-DVD.iso
/mnt/SL5 iso9660
ro,nosuid,nodev,noexec,loop,context=system_u:object_r:httpd_sys_content_t:s0
0 0
That's all one line
But when I try to change the type (using the guidance in the selinux
error message) I get another error.
Is it the way I'm mounting the ntfs partition? Have read that mounting
ntfs partitions and sharing them with samba is problematic. Some report
success by doing the following in fstab:
/dev/sdb2 /mnt/winxp_data ntfs defaults 1
2
But that doesn't seem to solve the problem...at least in my case.
In the end, I'll be formatting /dev/sdb2 as an ext3 partition, and
copying all of my ntfs data to it from /dev/sdb1, and then sharing out
the data from a linux partition. /dev/sdb1 will remain for dual-boot to
WinXP until my conversion to linux is complete. But for now, I'd like to
get samba to share this ntfs partition. Any tips?
selinux error message:
Summary
SELinux is preventing samba (/usr/sbin/smbd) "getattr" to
/mnt/winxp_data (fusefs_t).
Detailed Description
SELinux denied samba access to /mnt/winxp_data. If you want to share
this directory with samba it has to have a file context label of
samba_share_t.
If you did not intend to use /mnt/winxp_data as a samba repository
it could indicate either a bug or it could signal a intrusion attempt.
Allowing Access
You can alter the file context by executing chcon -R -t
samba_share_t
/mnt/winxp_data
The following command will allow this access:
chcon -R -t samba_share_t /mnt/winxp_data
Additional Information
Source Context system_u:system_r:smbd_t
Target Context system_u:object_r:fusefs_t
Target Objects /mnt/winxp_data [ dir ]
Affected RPM Packages samba-3.0.26a-0.fc7 [application]
Policy RPM selinux-policy-2.6.4-48.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.samba_share
Host Name desk.x.x
Platform Linux desk.x.x
2.6.23.1-10.fc7 #1
SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686
Alert Count 7
First Seen Mon 29 Oct 2007 07:15:02 PM EDT
Last Seen Wed 31 Oct 2007 09:40:07 PM EDT
Local ID x
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="smbd" dev=sdb2 egid=500 euid=500
exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0
path="/mnt/winxp_data" pid=2856 scontext=system_u:system_r:smbd_t:s0
sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:fusefs_t:s0 tty=(none) uid=500
[root@desk ~]# ls --lcontext /mnt
total 4
drwxrwxrwx 1 system_u:object_r:fusefs_t root root 4096 2007-10-30
21:09 winxp_data
[root@desk ~]# chcon -t samba_share_t /mnt/winxp_data
chcon: failed to change context of /mnt/winxp_data to
system_u:object_r:samba_share_t: Operation not supported
[root@desk ~]#
Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM
SAIC, IISBU, Columbia, MD
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
