Hi Fedora SELinux gurus, question from a very perplexed newbie.
I'm trying to access an external ntfs-3g drive from vmware on Fedora, with the drive seen through vmware as a networked samba drive. I have Fedora 8 as the host, VMware Workstation 6.0.2 with Windows XP Pro as the guest OS, and SELinux set to enforcing.
I have the host visible as a networked drive in My Network Places on the guest, and can access files in my Fedora 8 home directory, so SELinux is at least allowing that.
The external ntfs-3g drive that I'd like to also access is visible in My Network Places on the guest. However, whenever I click on it, I get an SELinux AVC Denial, which says SELinux is preventing the samba daemon from serving r/o local files to remote clients, and tells me that I need to turn on the samba_export_all_ro boolean, which is already on.
The raw audit message that I get in the SELinux popup is: avc: denied { read } for comm=smbd dev=sdd1 name=/ pid=4347 scontext=system_u:system_r:smbd_t:s0 tclass=dir tcontext=system_u:object_r:fusefs_t:s0
I have mounted the ntfs-3g drive so that it matches the ownership of my home drive, e.g. the fstab entry is: /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000 0 0 $ ls -al media total 233 drwxrwxrwx 1 craign family 4096 2007-12-12 23:04 . drwxr-xr-x 6 root root 4096 2007-12-02 14:13 .. drwxrwxrwx 1 craign family 0 2007-09-16 11:31 Craig ...
Can anyone help?
Many TIA, Craig
Hello Craig,
Craig Niederberger wrote:
Hi Fedora SELinux gurus, question from a very perplexed newbie.
I'm trying to access an external ntfs-3g drive from vmware on Fedora, with the drive seen through vmware as a networked samba drive. I have Fedora 8 as the host, VMware Workstation 6.0.2 with Windows XP Pro as the guest OS, and SELinux set to enforcing.
I have the host visible as a networked drive in My Network Places on the guest, and can access files in my Fedora 8 home directory, so SELinux is at least allowing that.
The external ntfs-3g drive that I'd like to also access is visible in My Network Places on the guest. However, whenever I click on it, I get an SELinux AVC Denial, which says SELinux is preventing the samba daemon from serving r/o local files to remote clients, and tells me that I need to turn on the samba_export_all_ro boolean, which is already on.
The raw audit message that I get in the SELinux popup is: avc: denied { read } for comm=smbd dev=sdd1 name=/ pid=4347 scontext=system_u:system_r:smbd_t:s0 tclass=dir tcontext=system_u:object_r:fusefs_t:s0
I have mounted the ntfs-3g drive so that it matches the ownership of my home drive, e.g. the fstab entry is: /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000 0 0
Did you tried to mount your drive with proper context?
/dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t 0 0
$ ls -al media total 233 drwxrwxrwx 1 craign family 4096 2007-12-12 23:04 . drwxr-xr-x 6 root root 4096 2007-12-02 14:13 .. drwxrwxrwx 1 craign family 0 2007-09-16 11:31 Craig ...
Can anyone help?
Many TIA, Craig
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Cheers, Josef Kubin
Thanks for answering my post, Josef. Unfortunately, I'm getting exactly the same AVC denial and message when trying to access the drive from vmware. The odd thing is, I can access my home directory from vmware without problem. The /etc/fstab entry now reads:
/dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t 0 0
Thanks, Craig
On Dec 15, 2007 7:10 PM, Josef Kubin jkubin@redhat.com wrote:
Hello Craig,
Craig Niederberger wrote:
Hi Fedora SELinux gurus, question from a very perplexed newbie.
I'm trying to access an external ntfs-3g drive from vmware on Fedora, with the drive seen through vmware as a networked samba drive. I have Fedora 8 as the host, VMware Workstation 6.0.2 with Windows XP Pro as the guest OS, and SELinux set to enforcing.
I have the host visible as a networked drive in My Network Places on the guest, and can access files in my Fedora 8 home directory, so SELinux is at least allowing that.
The external ntfs-3g drive that I'd like to also access is visible in My Network Places on the guest. However, whenever I click on it, I get an SELinux AVC Denial, which says SELinux is preventing the samba daemon from serving r/o local files to remote clients, and tells me that I need to turn on the samba_export_all_ro boolean, which is already on.
The raw audit message that I get in the SELinux popup is: avc: denied { read } for comm=smbd dev=sdd1 name=/ pid=4347 scontext=system_u:system_r:smbd_t:s0 tclass=dir tcontext=system_u:object_r:fusefs_t:s0
I have mounted the ntfs-3g drive so that it matches the ownership of my home drive, e.g. the fstab entry is: /dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000 0 0
Did you tried to mount your drive with proper context?
/dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t 0 0
$ ls -al media total 233 drwxrwxrwx 1 craign family 4096 2007-12-12 23:04 . drwxr-xr-x 6 root root 4096 2007-12-02 14:13 .. drwxrwxrwx 1 craign family 0 2007-09-16 11:31 Craig ...
Can anyone help?
Many TIA, Craig
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Cheers, Josef Kubin
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi, it looks that you rediscovered a bug ...
Craig Niederberger wrote:
Thanks for answering my post, Josef. Unfortunately, I'm getting exactly the same AVC denial and message when trying to access the drive from vmware. The odd thing is, I can access my home directory from vmware without problem. The /etc/fstab entry now reads:
/dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t 0 0
I've tried to a little bit investigate things, in this case the forced context is completely ignored ...
[root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo
[root@localhost vmware]# mount -t ntfs-3g -o loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
[root@localhost vmware]# umount /mnt/foo/
[root@localhost vmware]# mount -t ntfs-3g -o context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
But not in this case.
[root@localhost vmware]# cat /dev/zero > file [root@localhost vmware]# mkfs.ext3 file ... [root@localhost vmware]# mount -o loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo
Similar bug(s) has been already reported. https://bugzilla.redhat.com/show_bug.cgi?id=216846
Following command should help :-(
# setsebool -P samba_run_unconfined 1
Bye. Josef
sudo /usr/sbin/setsebool -P samba_run_unconfined 1
Strangely, exactly the same AVC denial. Anything else I can try, short of turning off SELinux, which I'd prefer not to do?
Many thanks, Craig
On Dec 16, 2007 11:09 AM, Josef Kubin jkubin@redhat.com wrote:
Hi, it looks that you rediscovered a bug ...
Craig Niederberger wrote:
Thanks for answering my post, Josef. Unfortunately, I'm getting exactly the same AVC denial and message when trying to access the drive from vmware. The odd thing is, I can access my home directory from vmware without problem. The /etc/fstab entry now reads:
/dev/sdd1 /mnt/media ntfs-3g rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t 0 0
I've tried to a little bit investigate things, in this case the forced context is completely ignored ...
[root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo
[root@localhost vmware]# mount -t ntfs-3g -o loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
[root@localhost vmware]# umount /mnt/foo/
[root@localhost vmware]# mount -t ntfs-3g -o context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
But not in this case. [root@localhost vmware]# cat /dev/zero > file [root@localhost vmware]# mkfs.ext3 file ... [root@localhost vmware]# mount -o loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/ [root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo Similar bug(s) has been already reported. https://bugzilla.redhat.com/show_bug.cgi?id=216846 Following command should help :-( # setsebool -P samba_run_unconfined 1 Bye. Josef
I am facing the exact same issues, not only when dealing with ntfs-3g drives, but with my RAID hard drive and my external drive also (both mounted as vfat). I went through all the aforementioned steps and I still haven't managed to resolve the issue.
On Dec 17, 2007 1:27 AM, Craig Niederberger craignied@gmail.com wrote:
sudo /usr/sbin/setsebool -P samba_run_unconfined 1
Strangely, exactly the same AVC denial. Anything else I can try, short of turning off SELinux, which I'd prefer not to do?
Many thanks, Craig
On Dec 16, 2007 11:09 AM, Josef Kubin jkubin@redhat.com wrote:
Hi, it looks that you rediscovered a bug ...
Craig Niederberger wrote:
Thanks for answering my post, Josef. Unfortunately, I'm getting exactly the same AVC denial and message when trying to access the drive from vmware. The odd thing is, I can access my home directory from vmware without problem. The /etc/fstab entry now reads:
/dev/sdd1 /mnt/media ntfs-3g
rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t
0 0
I've tried to a little bit investigate things, in this case the forced context is completely ignored ...
[root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo
[root@localhost vmware]# mount -t ntfs-3g -o loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
[root@localhost vmware]# umount /mnt/foo/
[root@localhost vmware]# mount -t ntfs-3g -o context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
But not in this case. [root@localhost vmware]# cat /dev/zero > file [root@localhost vmware]# mkfs.ext3 file ... [root@localhost vmware]# mount -o loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/ [root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo Similar bug(s) has been already reported. https://bugzilla.redhat.com/show_bug.cgi?id=216846 Following command should help :-( # setsebool -P samba_run_unconfined 1 Bye. Josef-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chris Danezis wrote:
I am facing the exact same issues, not only when dealing with ntfs-3g drives, but with my RAID hard drive and my external drive also (both mounted as vfat). I went through all the aforementioned steps and I still haven't managed to resolve the issue.
On Dec 17, 2007 1:27 AM, Craig Niederberger craignied@gmail.com wrote:
sudo /usr/sbin/setsebool -P samba_run_unconfined 1
Strangely, exactly the same AVC denial. Anything else I can try, short of turning off SELinux, which I'd prefer not to do?
Many thanks, Craig
On Dec 16, 2007 11:09 AM, Josef Kubin jkubin@redhat.com wrote:
Hi, it looks that you rediscovered a bug ...
Craig Niederberger wrote:
Thanks for answering my post, Josef. Unfortunately, I'm getting exactly the same AVC denial and message when trying to access the drive from vmware. The odd thing is, I can access my home directory from vmware without problem. The /etc/fstab entry now reads:
/dev/sdd1 /mnt/media ntfs-3g
rw,locale=en_US.utf8,uid=500,gid=1000,context=system_u:system_r:samba_share_t
0 0
I've tried to a little bit investigate things, in this case the forced context is completely ignored ...
[root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:mnt_t:s0 foo
[root@localhost vmware]# mount -t ntfs-3g -o loop,offset=32256,context=blabla ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
[root@localhost vmware]# umount /mnt/foo/
[root@localhost vmware]# mount -t ntfs-3g -o context=blabla:bleble:blabla,loop,offset=32256 ntfsImg-flat /mnt/foo/
[root@localhost vmware]# ls -Z /mnt/ drwxrwxrwx root root system_u:object_r:fusefs_t:s0 foo
But not in this case. [root@localhost vmware]# cat /dev/zero > file [root@localhost vmware]# mkfs.ext3 file ... [root@localhost vmware]# mount -o loop,context=system_u:object_r:httpd_sys_content_t:s0 file /mnt/foo/ [root@localhost vmware]# ls -Z /mnt/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 foo Similar bug(s) has been already reported. https://bugzilla.redhat.com/show_bug.cgi?id=216846 Following command should help :-( # setsebool -P samba_run_unconfined 1 Bye. Josef-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can update your policy to allow this
# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp
Then please open a bugzilla on this. It might be a kernel problem. Or we can fix it in policy.
selinux@lists.fedoraproject.org
-
Chris Danezis -
Craig Niederberger -
Daniel J Walsh -
Josef Kubin