samba & selinux
Craig White
craigwhite at azapple.com
Fri Nov 2 03:14:06 UTC 2007
On Thu, 2007-11-01 at 17:03 -0400, McGuffey, David C. wrote:
> Have had an interesting time getting samba to serve up files on F7.
> After doing a lot of rftm and tinkering, it will share test files in
> /mnt/winxp_data for both localhost and remote windowz boxes on the LAN.
> However when I remove the test files (created with 'touch') and mount an
> ntfs partition, I get an selinux error. From the error I deduce that the
> selinux type for winxp_data is fusefs_t, and it needs to be
> samba_share_t.
>
> But when I try to change the type (using the guidance in the selinux
> error message) I get another error.
>
> Is it the way I'm mounting the ntfs partition? Have read that mounting
> ntfs partitions and sharing them with samba is problematic. Some report
> success by doing the following in fstab:
> /dev/sdb2 /mnt/winxp_data ntfs defaults 1
> 2
> But that doesn't seem to solve the problem...at least in my case.
>
> In the end, I'll be formatting /dev/sdb2 as an ext3 partition, and
> copying all of my ntfs data to it from /dev/sdb1, and then sharing out
> the data from a linux partition. /dev/sdb1 will remain for dual-boot to
> WinXP until my conversion to linux is complete. But for now, I'd like to
> get samba to share this ntfs partition. Any tips?
>
> selinux error message:
>
> Summary
> SELinux is preventing samba (/usr/sbin/smbd) "getattr" to
> /mnt/winxp_data (fusefs_t).
>
> Detailed Description
> SELinux denied samba access to /mnt/winxp_data. If you want to share
> this directory with samba it has to have a file context label of
> samba_share_t.
> If you did not intend to use /mnt/winxp_data as a samba repository
> it could indicate either a bug or it could signal a intrusion attempt.
>
> Allowing Access
> You can alter the file context by executing chcon -R -t
> samba_share_t
> /mnt/winxp_data
>
> The following command will allow this access:
> chcon -R -t samba_share_t /mnt/winxp_data
>
> Additional Information
>
> Source Context system_u:system_r:smbd_t
> Target Context system_u:object_r:fusefs_t
> Target Objects /mnt/winxp_data [ dir ]
> Affected RPM Packages samba-3.0.26a-0.fc7 [application]
> Policy RPM selinux-policy-2.6.4-48.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.samba_share
> Host Name desk.x.x
> Platform Linux desk.x.x
> 2.6.23.1-10.fc7 #1
> SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686
> Alert Count 7
> First Seen Mon 29 Oct 2007 07:15:02 PM EDT
> Last Seen Wed 31 Oct 2007 09:40:07 PM EDT
> Local ID x
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm="smbd" dev=sdb2 egid=500 euid=500
> exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0
> path="/mnt/winxp_data" pid=2856 scontext=system_u:system_r:smbd_t:s0
> sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:fusefs_t:s0 tty=(none) uid=500
>
>
> [root at desk ~]# ls --lcontext /mnt
> total 4
> drwxrwxrwx 1 system_u:object_r:fusefs_t root root 4096 2007-10-30
> 21:09 winxp_data
> [root at desk ~]# chcon -t samba_share_t /mnt/winxp_data
> chcon: failed to change context of /mnt/winxp_data to
> system_u:object_r:samba_share_t: Operation not supported
----
you're probably better off taking this to the selinux list...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
but it seems to my under informed mind that if /mnt/winxp_data is a
mounted ntfs volume that the ntfs volume is not going to support the
extended attributes necessary for selinux and nothing is going to change
that short of Microsoft changing the ntfs format itself to support posix
extended attributes.
Craig
More information about the users
mailing list