|
»
»
»
SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
by Craig Niederberger-2
::
Rate this Message:
Hi Fedora SELinux gurus, question from a very perplexed newbie.
I'm trying to access an external ntfs-3g drive from vmware on Fedora, with the drive seen through vmware as a networked samba drive. I have Fedora 8 as the host, VMware Workstation 6.0.2 with Windows XP Pro as the guest OS, and SELinux set to enforcing. I have the host visible as a networked drive in My Network Places on the guest, and can access files in my Fedora 8 home directory, so SELinux is at least allowing that. The external ntfs-3g drive that I'd like to also access is visible in My Network Places on the guest. However, whenever I click on it, I get an SELinux AVC Denial, which says SELinux is preventing the samba daemon from serving r/o local files to remote clients, and tells me that I need to turn on the samba_export_all_ro boolean, which is already on. The raw audit message that I get in the SELinux popup is: avc: denied { read } for comm=smbd dev=sdd1 name=/ pid=4347 scontext=system_u:system_r:smbd_t:s0 tclass=dir tcontext=system_u:object_r:fusefs_t:s0 I have mounted the ntfs-3g drive so that it matches the ownership of my home drive, e.g. the fstab entry is: /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000 0 0 $ ls -al media total 233 drwxrwxrwx 1 craign family 4096 2007-12-12 23:04 . drwxr-xr-x 6 root root 4096 2007-12-02 14:13 .. drwxrwxrwx 1 craign family 0 2007-09-16 11:31 Craig ... Can anyone help? Many TIA, Craig -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
by Josef Kubin-2
::
Rate this Message:
Hello Craig,
Craig Niederberger wrote: > Hi Fedora SELinux gurus, question from a very perplexed newbie. > > I'm trying to access an external ntfs-3g drive from vmware on Fedora, > with the drive seen through vmware as a networked samba drive. I have > Fedora 8 as the host, VMware Workstation 6.0.2 with Windows XP Pro as > the guest OS, and SELinux set to enforcing. > > I have the host visible as a networked drive in My Network Places on > the guest, and can access files in my Fedora 8 home directory, so > SELinux is at least allowing that. > > The external ntfs-3g drive that I'd like to also access is visible in > My Network Places on the guest. However, whenever I click on it, I get > an SELinux AVC Denial, which says SELinux is preventing the samba > daemon from serving r/o local files to remote clients, and tells me > that I need to turn on the samba_export_all_ro boolean, which is > already on. > > The raw audit message that I get in the SELinux popup is: > avc: denied { read } for comm=smbd dev=sdd1 name=/ pid=4347 > scontext=system_u:system_r:smbd_t:s0 tclass=dir > tcontext=system_u:object_r:fusefs_t:s0 > > I have mounted the ntfs-3g drive so that it matches the ownership of > my home drive, e.g. the fstab entry is: > /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000 0 0 Did you tried to mount your drive with proper context? /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t 0 0 > $ ls -al media > total 233 > drwxrwxrwx 1 craign family 4096 2007-12-12 23:04 . > drwxr-xr-x 6 root root 4096 2007-12-02 14:13 .. > drwxrwxrwx 1 craign family 0 2007-09-16 11:31 Craig > ... > > Can anyone help? > > Many TIA, > Craig > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Cheers, Josef Kubin -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
by Craig Niederberger-2
::
Rate this Message:
Thanks for answering my post, Josef. Unfortunately, I'm getting
exactly the same AVC denial and message when trying to access the drive from vmware. The odd thing is, I can access my home directory from vmware without problem. The /etc/fstab entry now reads: /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t 0 0 Thanks, Craig On Dec 15, 2007 7:10 PM, Josef Kubin <jkubin@...> wrote: > Hello Craig, > > Craig Niederberger wrote: > > Hi Fedora SELinux gurus, question from a very perplexed newbie. > > > > I'm trying to access an external ntfs-3g drive from vmware on Fedora, > > with the drive seen through vmware as a networked samba drive. I have > > Fedora 8 as the host, VMware Workstation 6.0.2 with Windows XP Pro as > > the guest OS, and SELinux set to enforcing. > > > > I have the host visible as a networked drive in My Network Places on > > the guest, and can access files in my Fedora 8 home directory, so > > SELinux is at least allowing that. > > > > The external ntfs-3g drive that I'd like to also access is visible in > > My Network Places on the guest. However, whenever I click on it, I get > > an SELinux AVC Denial, which says SELinux is preventing the samba > > daemon from serving r/o local files to remote clients, and tells me > > that I need to turn on the samba_export_all_ro boolean, which is > > already on. > > > > The raw audit message that I get in the SELinux popup is: > > avc: denied { read } for comm=smbd dev=sdd1 name=/ pid=4347 > > scontext=system_u:system_r:smbd_t:s0 tclass=dir > > tcontext=system_u:object_r:fusefs_t:s0 > > > > I have mounted the ntfs-3g drive so that it matches the ownership of > > my home drive, e.g. the fstab entry is: > > /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000 0 0 > > Did you tried to mount your drive with proper context? > > /dev/sdd1 /mnt/media ntfs-3g > rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t > 0 0 > > > $ ls -al media > > total 233 > > drwxrwxrwx 1 craign family 4096 2007-12-12 23:04 . > > drwxr-xr-x 6 root root 4096 2007-12-02 14:13 .. > > drwxrwxrwx 1 craign family 0 2007-09-16 11:31 Craig > > ... > > > > Can anyone help? > > > > Many TIA, > > Craig > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@... > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Cheers, > Josef Kubin > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
by Josef Kubin-2
::
Rate this Message:
Hi, it looks that you rediscovered a bug ...
Craig Niederberger wrote: > Thanks for answering my post, Josef. Unfortunately, I'm getting > exactly the same AVC denial and message when trying to access the > drive from vmware. The odd thing is, I can access my home directory > from vmware without problem. The /etc/fstab entry now reads: > > /dev/sdd1 /mnt/media ntfs-3g > rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t > 0 0 I've tried to a little bit investigate things, in this case the forced context is completely ignored ... [root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo [root@localhost vmware]# mount -t ntfs-3g -o loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/ [root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo [root@localhost vmware]# umount /mnt/foo/ [root@localhost vmware]# mount -t ntfs-3g -o context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/ [root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ But not in this case. [root@localhost vmware]# cat /dev/zero > file [root@localhost vmware]# mkfs.ext3 file ... [root@localhost vmware]# mount -o loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/ [root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo Similar bug(s) has been already reported. https://bugzilla.redhat.com/show_bug.cgi?id=216846 Following command should help :-( # setsebool -P samba_run_unconfined 1 Bye. Josef -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
by Craig Niederberger-2
::
Rate this Message:
sudo /usr/sbin/setsebool -P samba_run_unconfined 1
Strangely, exactly the same AVC denial. Anything else I can try, short of turning off SELinux, which I'd prefer not to do? Many thanks, Craig On Dec 16, 2007 11:09 AM, Josef Kubin <jkubin@...> wrote: > Hi, it looks that you rediscovered a bug ... > > Craig Niederberger wrote: > > Thanks for answering my post, Josef. Unfortunately, I'm getting > > exactly the same AVC denial and message when trying to access the > > drive from vmware. The odd thing is, I can access my home directory > > from vmware without problem. The /etc/fstab entry now reads: > > > > /dev/sdd1 /mnt/media ntfs-3g > > rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t > > 0 0 > > I've tried to a little bit investigate things, > in this case the forced context is completely ignored ... > > [root@localhost vmware]# ls -Z /mnt/ > drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo > > [root@localhost vmware]# mount -t ntfs-3g -o > loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/ > > [root@localhost vmware]# ls -Z /mnt/ > drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo > > [root@localhost vmware]# umount /mnt/foo/ > > [root@localhost vmware]# mount -t ntfs-3g -o > context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/ > > [root@localhost vmware]# ls -Z /mnt/ > drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > But not in this case. > > [root@localhost vmware]# cat /dev/zero > file > [root@localhost vmware]# mkfs.ext3 file > ... > [root@localhost vmware]# mount -o > loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/ > > [root@localhost vmware]# ls -Z /mnt/ > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo > > Similar bug(s) has been already reported. > https://bugzilla.redhat.com/show_bug.cgi?id=216846 > > > Following command should help :-( > > # setsebool -P samba_run_unconfined 1 > > Bye. > Josef > > > -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
by Chris Danezis
::
Rate this Message:
I am facing the exact same issues, not only when dealing with ntfs-3g drives, but with my RAID hard drive and my external drive also (both mounted as vfat). I went through all the aforementioned steps and I still haven't managed to resolve the issue.
On Dec 17, 2007 1:27 AM, Craig Niederberger <craignied@...> wrote: sudo /usr/sbin/setsebool -P samba_run_unconfined 1 -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: SELinux enforcing, an external ntfs-3g mount, Samba and Fedora 8
by Daniel J Walsh
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Chris Danezis wrote: > I am facing the exact same issues, not only when dealing with ntfs-3g > drives, but with my RAID hard drive and my external drive also (both mounted > as vfat). I went through all the aforementioned steps and I still haven't > managed to resolve the issue. > > On Dec 17, 2007 1:27 AM, Craig Niederberger <craignied@...> wrote: > >> sudo /usr/sbin/setsebool -P samba_run_unconfined 1 >> >> Strangely, exactly the same AVC denial. Anything else I can try, >> short of turning off SELinux, which I'd prefer not to do? >> >> Many thanks, >> Craig >> >> On Dec 16, 2007 11:09 AM, Josef Kubin <jkubin@...> wrote: >>> Hi, it looks that you rediscovered a bug ... >>> >>> Craig Niederberger wrote: >>>> Thanks for answering my post, Josef. Unfortunately, I'm getting >>>> exactly the same AVC denial and message when trying to access the >>>> drive from vmware. The odd thing is, I can access my home directory >>>> from vmware without problem. The /etc/fstab entry now reads: >>>> >>>> /dev/sdd1 /mnt/media ntfs-3g >>>> >> rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t >>>> 0 0 >>> I've tried to a little bit investigate things, >>> in this case the forced context is completely ignored ... >>> >>> [root@localhost vmware]# ls -Z /mnt/ >>> drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo >>> >>> [root@localhost vmware]# mount -t ntfs-3g -o >>> loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/ >>> >>> [root@localhost vmware]# ls -Z /mnt/ >>> drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo >>> >>> [root@localhost vmware]# umount /mnt/foo/ >>> >>> [root@localhost vmware]# mount -t ntfs-3g -o >>> context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/ >>> >>> [root@localhost vmware]# ls -Z /mnt/ >>> drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> But not in this case. >>> >>> [root@localhost vmware]# cat /dev/zero > file >>> [root@localhost vmware]# mkfs.ext3 file >>> ... >>> [root@localhost vmware]# mount -o >>> loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/ >>> >>> [root@localhost vmware]# ls -Z /mnt/ >>> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo >>> >>> Similar bug(s) has been already reported. >>> https://bugzilla.redhat.com/show_bug.cgi?id=216846 >>> >>> >>> Following command should help :-( >>> >>> # setsebool -P samba_run_unconfined 1 >>> >>> Bye. >>> Josef >>> >>> >>> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@... >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list # grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp Then please open a bugzilla on this. It might be a kernel problem. Or we can fix it in policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkd5WGAACgkQrlYvE4MpobOkHQCgomIisTsODRTk7fZhawRTNUtK zDQAoNJN/8ipYiE0WrqElrQIE8AUhqFJ =MygV -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| Free Forum Powered by Nabble | Forum Help |