Hello,
I am having some difficulty getting NFS to work on my Core 7 (2.6.22.1-33.fc7) box, wondering if I have missed something obvious. I have edited the /etc/exports file, and when I attempt to restart the nfs demon I get the following:
[root@scully etc]# vi exports [root@scully etc]# service nfs reload [root@scully etc]# service nfs status rpc.mountd is stopped nfsd is stopped rpc.rquotad is stopped [root@scully etc]# service nfs start Starting NFS services: [ OK ] Starting NFS quotas: Cannot register service: RPC: Unable to receive; errno = Connection refused rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED] Starting NFS daemon:
at which point it hangs and I have to kill the command from a new shell.
I have seen conflicting references online regarding this error, stating that portmap must be started first, and also that portmap is deprecated in fc7. What else should I look at?
On Tue, 29 Jan 2008 13:37:36 -0500 (EST) Raven Brooke linuxchiq@linuxchiq.com wrote:
errno = Connection refused
/etc/hosts.allow /etc/hosts.deny Firewall settings
Raven Brooke wrote:
Hello,
I am having some difficulty getting NFS to work on my Core 7 (2.6.22.1-33.fc7) box, wondering if I have missed something obvious. I have edited the /etc/exports file, and when I attempt to restart the nfs demon I get the following:
[root@scully etc]# vi exports [root@scully etc]# service nfs reload [root@scully etc]# service nfs status rpc.mountd is stopped nfsd is stopped rpc.rquotad is stopped [root@scully etc]# service nfs start Starting NFS services: [ OK ] Starting NFS quotas: Cannot register service: RPC: Unable to receive; errno = Connection refused rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED] Starting NFS daemon:
at which point it hangs and I have to kill the command from a new shell.
I have seen conflicting references online regarding this error, stating that portmap must be started first, and also that portmap is deprecated in fc7. What else should I look at?
You need to make sure rpcbind is running.
service rpcbind start
before you start nfs services.!
Hello
What is the way to find out if any are connected to a vnc session? w or who does not tell?
Henning Larsen
On Jan 30, 2008 5:53 PM, Henning Larsen hennlar@start.no wrote:
Hello
What is the way to find out if any are connected to a vnc session? w or who does not tell?
Henning Larsen
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
netstat -an should show a network connection on the port used by VNC to another IP.
Jacques b.
On Wed, 2008-01-30 at 18:27 -0500, Jacques B. wrote:
netstat -an should show a network connection on the port used by VNC to another IP.
Jacques b.
Yes, but then I need to use 'grep | :59' or similar to filter the output. Is there any cleaner way?
Henning Larsen
Thanks for the answer :)
I have made a file "ww" that is executable containing:
"netstat -an | grep ESTABLISHED | grep -v 127.0.0.1".
Is this sufficient to tell if any are connected / logged in? Is there any way to tell people logged in via vnc that I am going to reboot the system? something like 'wall'?
Henning Larsen
Hi,
I would check for established VNC connections this way:
netstat -tape | grep ESTABLISHED | grep Xvnc
As for warning connected users. If you see there is an established vnc session on port 5902, you could simply do:
export DISPLAY=:2.0; xmessage -center -timeout 60 -file shutdown.txt > /dev/null 2>&1
You could create a list of established connections, translate it to active displays (5902 -> 2.0 | 5903 -> 3.0 ...) and send out a message.
Hope it helps Olivier
2008/1/31, Henning Larsen hennlar@start.no:
Thanks for the answer :)
I have made a file "ww" that is executable containing:
"netstat -an | grep ESTABLISHED | grep -v 127.0.0.1".
Is this sufficient to tell if any are connected / logged in? Is there any way to tell people logged in via vnc that I am going to reboot the system? something like 'wall'?
Henning Larsen
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Thanks for the good answer.
On Thu, 2008-01-31 at 15:05 +0100, Olivier Robert wrote:
Hi,
I would check for established VNC connections this way:
netstat -tape | grep ESTABLISHED | grep Xvnc
As for warning connected users. If you see there is an established vnc session on port 5902, you could simply do:
export DISPLAY=:2.0; xmessage -center -timeout 60 -file shutdown.txt
/dev/null 2>&1
How can I determine what the user responds, is there errorlevels or anything like that? Hundred years ago I was making a lot of advanced BAT-files in msdos, but have not done much of those things in Linux yet. I could or maybe should find out reading man-pages, but have already asked. :)
What is the reason for doing ' > /dev/null 2>&1'
You could create a list of established connections, translate it to active displays (5902 -> 2.0 | 5903 -> 3.0 ...) and send out a message.
Hope it helps Olivier
It helps a lot, Thanks
Henning Larsen
Hi,
1. "How can I determine what the user responds, is there errorlevels or anything like that?"
You can check for the exit status of the xmessage command
2. "What is the reason for doing ' > /dev/null 2>&1'"
It redirects any standard out and standard error to oblivion
Let's say you have a vnc session on port 5902. You want a script that checks if there's a session and display a message to the user. And you want to know if the user read the message. Here's what you could do. (you'll have to adapt and add a loop in there if you have several vnc sessions)
Edit the linux user's ~/.vnc/xstartup and add an "xhost +" in it. Otherwise you will not be able to display the message.
Use a script similar to this one: (of course, you will adapt and enhance)
#!/usr/bin/env bash
netstat -tape | grep ESTABLISHED | grep Xvnc | awk '{print $4}' | awk -F ":" '{print $2}' > log-ports
for user in `cat log-ports` do case $user in 5902) export DISPLAY=:2.0; xmessage -buttons "I understand":10 -center -timeout 60 -file testmsg > /dev/null 2>&1 [ $? -eq 10 ] \ && echo "$user acknowledged!" \ || echo "No answer from $user!" ;; esac
done
The user connected to 5902 will get a windowed message with a "I understand" button. If he clicks on it, you'll know. If he doesn't, it'll time out after 60 seconds and return an exit status of 0 (zero): you'll know too .
Hope it helps, Olivier
2008/1/31, Henning Larsen hennlar@start.no:
Thanks for the good answer.
On Thu, 2008-01-31 at 15:05 +0100, Olivier Robert wrote:
Hi,
I would check for established VNC connections this way:
netstat -tape | grep ESTABLISHED | grep Xvnc
As for warning connected users. If you see there is an established vnc session on port 5902, you could simply do:
export DISPLAY=:2.0; xmessage -center -timeout 60 -file shutdown.txt
/dev/null 2>&1
How can I determine what the user responds, is there errorlevels or anything like that? Hundred years ago I was making a lot of advanced BAT-files in msdos, but have not done much of those things in Linux yet. I could or maybe should find out reading man-pages, but have already asked. :)
What is the reason for doing ' > /dev/null 2>&1'
You could create a list of established connections, translate it to active displays (5902 -> 2.0 | 5903 -> 3.0 ...) and send out a message.
Hope it helps Olivier
It helps a lot, Thanks
Henning Larsen
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Thank you Olivier :)
On Thu, 2008-01-31 at 20:12 +0100, Olivier Robert wrote:
Hi,
- "How can I determine what the user responds, is there errorlevels
or anything like that?"
You can check for the exit status of the xmessage command
- "What is the reason for doing ' > /dev/null 2>&1'"
It redirects any standard out and standard error to oblivion
Let's say you have a vnc session on port 5902. You want a script that checks if there's a session and display a message to the user. And you want to know if the user read the message. Here's what you could do. (you'll have to adapt and add a loop in there if you have several vnc sessions)
Edit the linux user's ~/.vnc/xstartup and add an "xhost +" in it. Otherwise you will not be able to display the message.
Use a script similar to this one: (of course, you will adapt and enhance)
#!/usr/bin/env bash
netstat -tape | grep ESTABLISHED | grep Xvnc | awk '{print $4}' | awk -F ":" '{print $2}' > log-ports
for user in `cat log-ports` do case $user in 5902) export DISPLAY=:2.0; xmessage -buttons "I understand":10 -center -timeout 60 -file testmsg > /dev/null 2>&1 [ $? -eq 10 ] \ && echo "$user acknowledged!" \ || echo "No answer from $user!" ;; esac
done
The user connected to 5902 will get a windowed message with a "I understand" button. If he clicks on it, you'll know. If he doesn't, it'll time out after 60 seconds and return an exit status of 0 (zero): you'll know too .
Hope it helps, Olivier
Thank you very much, I learned so much from your answer so that I will be busy programming scripts for a long time.
Henning Larsen
Hello
I get an alert from selinux, telling me to do:
'setsebool -P samba_export_all_ro=1'
I did, but still cannot connect to the share from a other pc's. Do I have to reboot?
ps. all booleans for samba is selected in selinux administration.
Henning Larsen
On Jan 31, 2008 4:08 AM, Henning Larsen hennlar@start.no wrote:
Hello
I get an alert from selinux, telling me to do:
'setsebool -P samba_export_all_ro=1'
I did, but still cannot connect to the share from a other pc's. Do I have to reboot?
ps. all booleans for samba is selected in selinux administration.
Henning Larsen
Are you still getting alerts?
Hello On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 4:08 AM, Henning Larsen hennlar@start.no wrote:
Hello
I get an alert from selinux, telling me to do:
'setsebool -P samba_export_all_ro=1'
I did, but still cannot connect to the share from a other pc's. Do I have to reboot?
ps. all booleans for samba is selected in selinux administration.
Henning Larsen
Are you still getting alerts?
After doing that setsebool -P samba.... I still get alerts, but I found one solution via google, like this:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
This removes the alert, but I think it not is the proper way. Maybe it is a bug?. If so, how do I remove the modification I have made, when the bug is fixed?
Thanks for helping.
Henning Larsen
On Jan 31, 2008 11:22 AM, Henning Larsen hennlar@start.no wrote:
Hello On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 4:08 AM, Henning Larsen hennlar@start.no wrote:
Hello
I get an alert from selinux, telling me to do:
'setsebool -P samba_export_all_ro=1'
I did, but still cannot connect to the share from a other pc's. Do I have to reboot?
ps. all booleans for samba is selected in selinux administration.
Henning Larsen
Are you still getting alerts?
After doing that setsebool -P samba.... I still get alerts, but I found one solution via google, like this:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
This removes the alert, but I think it not is the proper way. Maybe it is a bug?. If so, how do I remove the modification I have made, when the bug is fixed?
Thanks for helping.
Its definitely not the proper way for a program as popular as Samba. I have it running on a machine with SELinux myself so I know it works.
Do you have setroubleshoot installed? It helps troubleshoot these issues, often suggesting exactly what to do. and describing what happened as much as possible.
If you still have the full description of the issue, paste it here. If we can't understand it, try the selinux mailing list.
On Thu, 2008-01-31 at 11:32 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 11:22 AM, Henning Larsen hennlar@start.no wrote:
Hello On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 4:08 AM, Henning Larsen hennlar@start.no wrote:
Hello
I get an alert from selinux, telling me to do:
'setsebool -P samba_export_all_ro=1'
I did, but still cannot connect to the share from a other pc's. Do I have to reboot?
ps. all booleans for samba is selected in selinux administration.
Henning Larsen
Are you still getting alerts?
After doing that setsebool -P samba.... I still get alerts, but I found one solution via google, like this:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
This removes the alert, but I think it not is the proper way. Maybe it is a bug?. If so, how do I remove the modification I have made, when the bug is fixed?
Thanks for helping.
Its definitely not the proper way for a program as popular as Samba. I have it running on a machine with SELinux myself so I know it works.
Do you have setroubleshoot installed? It helps troubleshoot these issues, often suggesting exactly what to do. and describing what happened as much as possible.
If you still have the full description of the issue, paste it here. If we can't understand it, try the selinux mailing list.
I do not have the full report, since it is gone, because what I did to get rid of the alert. I have setroubleshoot installed an it told me to do:
'setsebool -P samba_export_all_ro=1'
I did, but it kept telling me to do the same thing. The share is ntfs on usb. I should try to share an ordinary filesystem, but the alert has gone after doing:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
I do not know how to reverse this.
btw, I can live with it since the alert has gone and I use enforcing mode.
Thanks Henning Larsen
On Jan 31, 2008 12:02 PM, Henning Larsen hennlar@start.no wrote:
On Thu, 2008-01-31 at 11:32 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 11:22 AM, Henning Larsen hennlar@start.no wrote:
Hello On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 4:08 AM, Henning Larsen hennlar@start.no wrote:
Hello
I get an alert from selinux, telling me to do:
'setsebool -P samba_export_all_ro=1'
I did, but still cannot connect to the share from a other pc's. Do I have to reboot?
ps. all booleans for samba is selected in selinux administration.
Henning Larsen
Are you still getting alerts?
After doing that setsebool -P samba.... I still get alerts, but I found one solution via google, like this:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
This removes the alert, but I think it not is the proper way. Maybe it is a bug?. If so, how do I remove the modification I have made, when the bug is fixed?
Thanks for helping.
Its definitely not the proper way for a program as popular as Samba. I have it running on a machine with SELinux myself so I know it works.
Do you have setroubleshoot installed? It helps troubleshoot these issues, often suggesting exactly what to do. and describing what happened as much as possible.
If you still have the full description of the issue, paste it here. If we can't understand it, try the selinux mailing list.
I do not have the full report, since it is gone, because what I did to get rid of the alert. I have setroubleshoot installed an it told me to do:
'setsebool -P samba_export_all_ro=1'
I did, but it kept telling me to do the same thing. The share is ntfs on usb. I should try to share an ordinary filesystem, but the alert has gone after doing:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
I do not know how to reverse this.
btw, I can live with it since the alert has gone and I use enforcing mode.
Thanks
No prob.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Henning Larsen wrote:
On Thu, 2008-01-31 at 11:32 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 11:22 AM, Henning Larsen hennlar@start.no wrote:
Hello On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
On Jan 31, 2008 4:08 AM, Henning Larsen hennlar@start.no wrote:
Hello
I get an alert from selinux, telling me to do:
'setsebool -P samba_export_all_ro=1'
I did, but still cannot connect to the share from a other pc's. Do I have to reboot?
ps. all booleans for samba is selected in selinux administration.
Henning Larsen
Are you still getting alerts?
After doing that setsebool -P samba.... I still get alerts, but I found one solution via google, like this:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
This removes the alert, but I think it not is the proper way. Maybe it is a bug?. If so, how do I remove the modification I have made, when the bug is fixed?
Thanks for helping.
Its definitely not the proper way for a program as popular as Samba. I have it running on a machine with SELinux myself so I know it works.
Do you have setroubleshoot installed? It helps troubleshoot these issues, often suggesting exactly what to do. and describing what happened as much as possible.
If you still have the full description of the issue, paste it here. If we can't understand it, try the selinux mailing list.
I do not have the full report, since it is gone, because what I did to get rid of the alert. I have setroubleshoot installed an it told me to do:
'setsebool -P samba_export_all_ro=1'
I did, but it kept telling me to do the same thing. The share is ntfs on usb. I should try to share an ordinary filesystem, but the alert has gone after doing:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
I do not know how to reverse this.
btw, I can live with it since the alert has gone and I use enforcing mode.
Thanks Henning Larsen
Please attach the avc messages that you generated policy for. Looks like you are using samba to share an NFS partition off of a unix box?
On Thu, 2008-01-31 at 19:02 +0100, Henning Larsen wrote:
btw, I can live with it since the alert has gone and I use enforcing mode.
Though, going by what you posted earlier using audit2allow, you've probably disabled SELinux from doing anything about Samba. Enforcing no rules isn't really enforcing SELinux...
This is the same sort of thing as some firewall telling a user that the firewall has blocked trojan from using the internet, and the user clicks on allow access. You have to diagnose the fault, not just get rid of the warning.
On Fri, 2008-02-01 at 09:36 +1030, Tim wrote:
On Thu, 2008-01-31 at 19:02 +0100, Henning Larsen wrote:
btw, I can live with it since the alert has gone and I use enforcing mode.
Though, going by what you posted earlier using audit2allow, you've probably disabled SELinux from doing anything about Samba. Enforcing no rules isn't really enforcing SELinux...
This is the same sort of thing as some firewall telling a user that the firewall has blocked trojan from using the internet, and the user clicks on allow access. You have to diagnose the fault, not just get rid of the warning.
-- (This computer runs FC7, my others run FC4, FC5 & FC6, in case that's important to the thread.)
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
I did belive that too, my problem now is that I don't know how to reverse what I did to stop the alerts. Do you have an answer to that?
btw. my router is firewalled against samba, so there is no big security issue.
Henning Larsen
On Fri, 2008-02-01 at 00:15 +0100, Henning Larsen wrote:
my problem now is that I don't know how to reverse what I did to stop the alerts.
Previously you'd inserted a module (created by your rules), with this command, to allow something:
semodule -i mysamba.pp
What you allowed, I don't know. You didn't post that data.
Reading the man file for semodule shows a "-r" remove module option. Give that a try.
e.g. semodule -r mysamba.pp
On Fri, 2008-02-01 at 10:36 +1030, Tim wrote:
What you allowed, I don't know. You didn't post that data.
Reading the man file for semodule shows a "-r" remove module option. Give that a try. e.g. semodule -r mysamba.pp
semodule -r mysamba That removed it
I got the alert back, here it is:
................ Summary SELinux is preventing the samba daemon from serving r/o local files to remote clients.
Detailed Description SELinux has preventing the samba daemon (smbd) from reading files on the local system. If you have not exported these file systems, this could signals an intrusion.
Allowing Access If you want to export file systems using samba you need to turn on the samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
The following command will allow this access: setsebool -P samba_export_all_ro=1
Additional Information
Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:fusefs_t:s0 Target Objects None [ dir ] Affected RPM Packages samba-3.0.28-0.fc8 [application] Policy RPM selinux-policy-3.0.8-81.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.samba_export_all_ro Host Name venus.popper.homeunix.com Platform Linux venus.popper.homeunix.com 2.6.23.14-107.fc8 #1 SMP Mon Jan 14 21:37:30 EST 2008 i686 i686 Alert Count 1 First Seen Fri 01 Feb 2008 11:34:17 AM CET Last Seen Fri 01 Feb 2008 11:34:17 AM CET Local ID 6ed95377-42e5-4309-8a8d-fb1b5e06edee Line Numbers
Raw Audit Messages
avc: denied { read } for comm=smbd dev=sdd1 egid=99 euid=99 exe=/usr/sbin/smbd exit=-13 fsgid=99 fsuid=99 gid=0 items=0 name=Documents pid=3363 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:fusefs_t:s0 tty=(none) uid=99
..........
sealert tell me to do:
setsebool -P samba_export_all_ro=1
but it is already done, and have no effect.
Henning Larsen
On Fri, 2008-02-01 at 11:41 +0100, Henning Larsen wrote:
I got the alert back, here it is:
................ Summary SELinux is preventing the samba daemon from serving r/o local files to remote clients.
Detailed Description SELinux has preventing the samba daemon (smbd) from reading files on the local system. If you have not exported these file systems, this could signals an intrusion.
Okay, now you might want to tell us what it is that you're trying to share out (e.g. /home), how that's mounted (e.g. local partition or a sub-dir off of /), etc.
On Fri, 2008-02-01 at 23:56 +1030, Tim wrote:
On Fri, 2008-02-01 at 11:41 +0100, Henning Larsen wrote:
I got the alert back, here it is:
................ Summary SELinux is preventing the samba daemon from serving r/o local files to remote clients.
Detailed Description SELinux has preventing the samba daemon (smbd) from reading files on the local system. If you have not exported these file systems, this could signals an intrusion.
Okay, now you might want to tell us what it is that you're trying to share out (e.g. /home), how that's mounted (e.g. local partition or a sub-dir off of /), etc.
Hi
I am sharing ntfs file system connected via usb, it is mounted automatic under /media I created a new share ~/Public an that works ok. So the problem is with ntfs or usb, how it is mounted?.
I do not know
Henning Larsen
On Thursday 31 January 2008 23:15:50 Henning Larsen wrote:
On Fri, 2008-02-01 at 09:36 +1030, Tim wrote:
On Thu, 2008-01-31 at 19:02 +0100, Henning Larsen wrote:
btw, I can live with it since the alert has gone and I use enforcing mode.
Though, going by what you posted earlier using audit2allow, you've probably disabled SELinux from doing anything about Samba. Enforcing no rules isn't really enforcing SELinux...
This is the same sort of thing as some firewall telling a user that the firewall has blocked trojan from using the internet, and the user clicks on allow access. You have to diagnose the fault, not just get rid of the warning.
-- (This computer runs FC7, my others run FC4, FC5 & FC6, in case that's important to the thread.)
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
I did belive that too, my problem now is that I don't know how to reverse what I did to stop the alerts. Do you have an answer to that?
locate mysamba.pp
rm -f ...active/mysamba.pp rm -f .../previous/mysamba.pp
reboot
Tony
btw. my router is firewalled against samba, so there is no big security issue.
Henning Larsen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tony Molloy wrote:
On Thursday 31 January 2008 23:15:50 Henning Larsen wrote:
On Fri, 2008-02-01 at 09:36 +1030, Tim wrote:
On Thu, 2008-01-31 at 19:02 +0100, Henning Larsen wrote:
btw, I can live with it since the alert has gone and I use enforcing mode.
Though, going by what you posted earlier using audit2allow, you've probably disabled SELinux from doing anything about Samba. Enforcing no rules isn't really enforcing SELinux...
This is the same sort of thing as some firewall telling a user that the firewall has blocked trojan from using the internet, and the user clicks on allow access. You have to diagnose the fault, not just get rid of the warning.
-- (This computer runs FC7, my others run FC4, FC5 & FC6, in case that's important to the thread.)
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
I did belive that too, my problem now is that I don't know how to reverse what I did to stop the alerts. Do you have an answer to that?
locate mysamba.pp
rm -f ...active/mysamba.pp rm -f .../previous/mysamba.pp
reboot
Tony
btw. my router is firewalled against samba, so there is no big security issue.
Henning Larsen
semodule -r mysamba is the proper way to do this Just removing the pp files will not effect the policy until the next time the policy is rebuild. So doing the rm -f ...active/mysamba.pp would need to be followed by semodule -B and no reboot would be necessary. (This is not windows.)
Henning, what AVC's are you seeing? What did the te file that you loaded look like?
Henning Larsen wrote:
After doing that setsebool -P samba.... I still get alerts, but I found one solution via google, like this:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
This removes the alert, but I think it not is the proper way
No, that's pretty much the proper way. You've effectively created a policy similar to "samba_share_nfs" for FUSE. Since FUSE and NFSv3 don't support file attributes (required for SELinux), the policy can't be very specific about what samba is allowed to do.
You're not the first person to try to share an NTFS drive of some type, so perhaps you should file a bug (request for enhancement), requesting a policy similar to "samba_share_nfs" which allows samba to share fuse filesystems.
The other option would be to mount the USB drive with an allowed context:
mount /dev/usbdoohickey1 /srv/sambantfs -o context=system_u:object_r:samba_share_t
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Gordon Messmer wrote:
Henning Larsen wrote:
After doing that setsebool -P samba.... I still get alerts, but I found one solution via google, like this:
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
This removes the alert, but I think it not is the proper way
No, that's pretty much the proper way. You've effectively created a policy similar to "samba_share_nfs" for FUSE. Since FUSE and NFSv3 don't support file attributes (required for SELinux), the policy can't be very specific about what samba is allowed to do.
You're not the first person to try to share an NTFS drive of some type, so perhaps you should file a bug (request for enhancement), requesting a policy similar to "samba_share_nfs" which allows samba to share fuse filesystems.
The other option would be to mount the USB drive with an allowed context:
mount /dev/usbdoohickey1 /srv/sambantfs -o context=system_u:object_r:samba_share_t
Added samba_share_fusefs boolean to selinux-policy-3.2.7-4 in rawhide.
Dan
-
Arthur Pemberton -
Daniel J Walsh -
Frank Cox -
Gordon Messmer -
Henning Larsen -
Howard Wilkinson -
Jacques B. -
Olivier Robert -
Raven Brooke -
Tim -
Tony Molloy