Subject: | |
From: | |
Reply To: | |
Date: | Fri, 4 Mar 2016 03:48:24 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 03/04/2016 03:39 AM, ToddAndMargo wrote:
> On 03/04/2016 02:59 AM, David Sommerseth wrote:
>> On 04/03/16 11:05, ToddAndMargo wrote:
>> [...snip...]
>>> # grep denied /var/log/audit/audit.log
>>> type=AVC msg=audit(1457071461.014:2015): avc: denied { write } for
>>> pid=26451
>>> comm="smbd" name="test" dev="dm-1" ino=593703
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=unconfined_u:object_r:mnt_t:s0
>>> tclass=dir
>>>
>>> These stem from when I was trying to get SeLinux to work
>>> on the share. "Test" was a shared directory. "Test"
>>> has since been removed.
>>>
>>> I can browse/use the mount point without issue as
>>> long as I do not have an NTFS Flash Drive mounted to it.
>>>
>>> No mention of /mnt/iso in the above
>>> # grep denied /var/log/audit/audit.log | grep iso
>>> # <nothing>
>>
>> You skipped the 'audit2allow' tip I gave you.
>>
>> ---------------------------------------------
>>
>> cat | audit2allow
>>
>> type=AVC msg=audit(1457071461.014:2015): avc: denied { write } for
>> pid=26451
>> comm="smbd" name="test" dev="dm-1" ino=593703
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=unconfined_u:object_r:mnt_t:s0
>> tclass=dir
>>
>>
>>
>> #============= smbd_t ==============
>>
>> #!!!! This avc can be allowed using the boolean 'samba_export_all_rw'
>> allow smbd_t mnt_t:dir write;
>> ---------------------------------------------
>>
>> See the line "!!!! This avc can...." ... So just do:
>>
>> # setsebool -P samba_export_all_rw 1
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>>
>>
>>
>
>
>
> # grep denied /var/log/audit/audit.log | grep iso | audit2allow
> Nothing to do
>
>
> # grep denied /var/log/audit/audit.log | audit2allow
>
> #============= logrotate_t ==============
> allow logrotate_t home_root_t:dir read;
> allow logrotate_t init_t:service reload;
>
> #============= smbd_t ==============
>
> #!!!! This avc is allowed in the current policy
> allow smbd_t mnt_t:dir write;
>
> #!!!! This avc is allowed in the current policy
> allow smbd_t mnt_t:file getattr;
>
>
> Couldn't figure out what the above meant.
>
>
> As you recommended, I ran
> # setsebool -P samba_export_all_rw 1
>
> Now W7 says the directory is empty
>
>
>
Wait. Hold everything. I was in the wrong iso share.
And "# setsebool -P samba_export_all_rw 1" fixed it.
And I have full read/wrie too.
Yippee!
thankyouthankyouthankyouthankyouthankyouthankyouthankyou
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|