Well, I just upgraded to Fedora 14 (64-bit) and decided to do things right this time. One of the most common answers I find when googling “Configuring Samba shares on Fedora” is “Disable SELinux.” That’s just plain lazy! So I decided to actually do a little research. Obviously you’ll need to change the specifics to match your setup.
The Initial Setup
-First-
Configure /etc/fstab to automount an NTFS partion by adding a line like this:
/dev/sdb1 /files ntfs-3g defaults 0 0
Then mount the partition by running the following command:
sudo mount -a
-Second-
Configure a Samba share by adding something like this to the end of /etc/samba/smb.conf:
[Videos]
path = /files/Videos
read only = yes
browseable = yes
guest ok = yes
Then restart Samba by running the following commands:
sudo service smb restart
sudo service nmb restart
-Third-
Configure the firewall by runnnig the following command:
system-config-firewall
Just check Samba and Samba Client under Trusted Services and clickApply.
The Problem
In my experience none of the above has been a problem.. and when I try to connect to the Samba share from a Windows PC I see the shared folder(s) but get an access denied error when trying to open the share.
Basic SELinux configuration isn’t that difficult. Right at the top of my smb.conf file it states:
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
And chcon works great on regular files and directory I create but when I try tochcon anything in /files I get this error:
chcon: failed to change context of 'Videos' to 'system_u:object_r:samba_share_t:s0': Operation not supported
So to see the current security context of Videos I type:
ls -ldZ Videos
and get:
drwxrwxrwx. root root system_u:object_r:fusefs_t:s0 Videos
So at first it appears to be a system label problem and SELinux provides a way to get past that by running either:
sudo setsebool -P samba_export_all_ro on (read-only access)
sudo setsebool -P samba_export_all_rw on (read/write access)
This isn’t the most secure however as either of these would allow Samba to access any and all system folders/files, not just the NTFS shares.
The Solution
So it’s back to googling and finally I run accross a boolean to tell SELinux to allow Samba to share with FUSE using the following:
sudo setsebool -P samba_share_fusefs on
It turns out that FUSE is used to mount/read NTFS partitions (in Fedora at least) and requires it’s own security context type on the mounted NTFS files/folders. This may be something I should have known but it sure took a while to figure out and I couldn’t find a single obvious answer after a couple hours of searching. Hopefully someone else out there is having this problem and will find this akward post helpful!
Be kind if you respond as I’m just brushing back up on Linux and this is my first shot at Fedora or SELinux.
[Top]