Hi! What's the proper security context of credentials file used by mount.cifs? samba_selinux did not help me and cifs_t is not what I am looking for:
audit(1173946014.366:6): avc: denied { read } for pid=2237 comm="mount.cifs" name=".smbcredential-polsl" dev=sda1 ino=2195809 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:cifs_t:s0 tclass=file
I've got this line in my fstab:
//dionizos/usr /srv/dionizos cifs credentials=/root/.smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir_mode=0777 0 0
Regards, Dawid
Dawid Gajownik wrote:
Hi! What's the proper security context of credentials file used by mount.cifs? samba_selinux did not help me and cifs_t is not what I am looking for:
audit(1173946014.366:6): avc: denied { read } for pid=2237 comm="mount.cifs" name=".smbcredential-polsl" dev=sda1 ino=2195809 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:cifs_t:s0 tclass=file
I've got this line in my fstab:
//dionizos/usr /srv/dionizos cifs credentials=/root/.smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir_mode=0777 0 0
You're probably having problems with trying to read /root before you even get to the credentials file. What I use is this:
//METROPOLIS/Public\040Data /mnt/samba/public.data cifs uid=paul,gid=paul,credentials=/etc/samba/smbcredentials.paul,dir_mode=0755,file_mode=0644 0 0
$ ls -lZ /etc/samba -rw-r--r-- root root system_u:object_r:samba_etc_t lmhosts -rw------- root root user_u:object_r:samba_secrets_t passdb.tdb -rw------- root root user_u:object_r:samba_secrets_t secrets.tdb -rw-r--r-- root root system_u:object_r:samba_etc_t smb.conf -rw------- root root user_u:object_r:samba_etc_t smbcredentials.paul -rw-r--r-- root root system_u:object_r:samba_etc_t smbusers
Paul.
On 3/16/07, Paul Howarth paul@city-fan.org wrote:
You're probably having problems with trying to read /root before you even get to the credentials file. What I use is this:
May I ask you what version of selinux-policy-targeted do you have in your system? I changed configuration and still have AVC messages:
audit(1174047007.131:6): avc: denied { read } for pid=2242 comm="mount.cifs" name="smbcredential-polsl" dev=sda1 ino=131578 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:samba_etc_t:s0 tclass=file
[gajownik@cyklop ~]$ ls -lZ /etc/samba/ -rw-r--r-- root root system_u:object_r:samba_etc_t lmhosts -rw-r--r-- root root system_u:object_r:samba_etc_t smb.conf -rw------- root root user_u:object_r:samba_etc_t smbcredential-polsl [gajownik@cyklop ~]$
fstab: //dionizos/usr /srv/dionizos cifs credentials=/etc/samba/smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir _mode=0777 0 0
selinux-policy-targeted-2.4.6-42.fc6
Dawid Gajownik wrote:
On 3/16/07, Paul Howarth paul@city-fan.org wrote:
You're probably having problems with trying to read /root before you even get to the credentials file. What I use is this:
May I ask you what version of selinux-policy-targeted do you have in your system? I changed configuration and still have AVC messages:
audit(1174047007.131:6): avc: denied { read } for pid=2242 comm="mount.cifs" name="smbcredential-polsl" dev=sda1 ino=131578 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:samba_etc_t:s0 tclass=file
[gajownik@cyklop ~]$ ls -lZ /etc/samba/ -rw-r--r-- root root system_u:object_r:samba_etc_t lmhosts -rw-r--r-- root root system_u:object_r:samba_etc_t smb.conf -rw------- root root user_u:object_r:samba_etc_t smbcredential-polsl [gajownik@cyklop ~]$
fstab: //dionizos/usr /srv/dionizos cifs credentials=/etc/samba/smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir
_mode=0777 0 0
selinux-policy-targeted-2.4.6-42.fc6
Curious:
# rpm -q selinux-policy selinux-policy-2.4.6-42.fc6
I haven't changed my setup for this for a long time though, and it's been working fine.
Looking at the policy sources, I think it may be working for me because I have the allow_mount_anyfile boolean set (I have some ISO images loopback mounted, and needed the boolean set to do that).
Paul.
Dnia 03/16/2007 02:18 PM, Użytkownik Paul Howarth napisał:
Looking at the policy sources, I think it may be working for me because I have the allow_mount_anyfile boolean set
You're right, changing this boolean to 'on' allowed to mount this network share on system boot. Is there any other way to resolve this problem? I would like not to relax to much SELinux policy.
Anyway, thanks for you help :)
Dawid Gajownik wrote:
Dnia 03/16/2007 02:18 PM, Użytkownik Paul Howarth napisał:
Looking at the policy sources, I think it may be working for me because I have the allow_mount_anyfile boolean set
You're right, changing this boolean to 'on' allowed to mount this network share on system boot. Is there any other way to resolve this problem? I would like not to relax to much SELinux policy.
Alternative approach. Put the credentials file directly under /etc (or some new, private directory within /etc) and run "restorecon" on it, which should label it etc_t. Since /etc/fstab is etc_t and mount must be able to read *that*, it should be able to read the credentials file too.
Paul.
On 3/21/07, Paul Howarth paul@city-fan.org wrote:
Alternative approach. Put the credentials file directly under /etc (or some new, private directory within /etc) and run "restorecon" on it, which should label it etc_t. Since /etc/fstab is etc_t and mount must be able to read *that*, it should be able to read the credentials file too.
Great! It works. Thanks!
IMHO samba_selinux manpage should provide information about security context of credentials file(s). May someone fix it, please?
Regards, Dawid
selinux@lists.fedoraproject.org
-
Dawid Gajownik -
Paul Howarth