Daniel J Walsh wrote: |Daniel B. Thurman wrote: || Stephen Smalley || |Daniel B. Thurman wrote: || |> |You can certainly generate a local policy module that gives || |> |access to fusefs_t, but it would be better if we could get || |> |the context mount option to work. || |> || |> I will try anything you suggest. Let me know if you can || |> resolve this issue, otherwise let me know (in detail) how || |> to write a policy as a last resort? || | || |To generate local policy for this issue, you'd do something |like this: || | || |$ su - || |# ausearch -m AVC | grep fuse | audit2allow -M myfuse || |# semodule -i myfuse.pp || | || |Then the fuse-related denials should be allowed. || || Uh, almost. It still will not allow me to chmod or chgrp || the mounted filesystem which means that I cannot write to || the shared NTFS filesystem without assigning the proper || permissions. I have set samba properties to allow writes || but apparently this problem resides with fuse again. Grr. || || What can I do to allow samba shared writes? |Look for additional AVC's with ausearch | |You can run the above command another time. | |You can put the machine into permissive mode and gather all of the AVC |messages | |setenforce 0 |Run your test |ausearch -m AVC | grep fuse | audit2allow -M myfuse |semodule -i myfuse.pp |setenforce 1
Yup! That worked!
Thanks, Dan!
Dan
selinux@lists.fedoraproject.org