Why can't I set /mnt/path to samba_share_t ?
Shintaro Fujiwara
shintaro.fujiwara at gmail.com
Tue Feb 16 10:09:11 UTC 2010
Sorry I was mistaken.
I set by .fc and made module but failed, so I audit2allowed to allow
smbd_t to read/write mnt_t.
But that was not a good solution, I knew...
Thanks everyone.
I will check semanage fcontext.
I will report if I succeeded.
Thanks !
2010/2/16 Paul Howarth <paul at city-fan.org>:
> On 15/02/10 21:54, Tristan Santore wrote:
>> On 15/02/10 21:44, Shintaro Fujiwara wrote:
>>> Hi, I'm now making server at my office with f12.
>>> I'm moved by how easy SELinux became to configure anythinng after all
>>> these years.
>>>
>>> I have mounted HDs on /mnt/path or /media/path.
>>>
>>> The HDs are mounted on /mnt/path which reside valuable data inside,
>>> and on /media/path
>>> which has backup tar balls.
>>>
>>> The one on /mnt/path are shared data by samba so that some
>>> organization unit guys can read and write through network.
>>>
>>> First,I set
>>> #chmod 777 /mnt/path
>>> and this is just a test, so it's not controversial.
>>> Second, after I read smb.conf, and I found SELinux configuration
>>> telling to set path to samba_share_t by chcon.
>>> I made it and it was a success, I could read and write from network to
>>> /mnt/path.
>>>
>>> Next, I commanded,
>>> # restorecon -R -v /mnt
>>> and /mnt/path became mnt_t.
>>> In that, I failed both read nor write.
>>>
>>> I made local module by audit2allow and installed by semodule -i.
>>> Of course, I restoreconed.
>>> I failed again.
>>>
>>> I did
>>> # touch /.autorelabel
>>> # shutdown -r now
>>>
>>> I failed.
>>>
>>> security context of /mnt/path is still mnt_t.
>>>
>>> How can I set security context of /mnt/path to samba_share_t not using
>>> chcon ?
>
> The module you created using audit2allow will have a .fc file. Add the
> following line to that file:
>
> /mnt/path(/.*)? gen_context(system_u:object_r:samba_share_t,s0)
>
> Then edit the .te file to increase the module version number (the number
> in the policy_module declaration at the top) and rebuild the .pp file.
>
> When you've done that, use "semodule -u" to update the policy module.
>
> You'll then be able to do "restorecon -R -v /mnt/path" and it'll be
> samba_share_t.
>
> Paul.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
http://intrajp.no-ip.com/ Home Page
More information about the selinux
mailing list