Sharing an NTFS partition with Samba and SELinux

Well, I just upgraded to Fedora 14 (64-bit) and decided to do things right this time. One of the most common answers I find when googling “Configuring Samba shares on Fedora” is “Disable SELinux.” That’s just plain lazy! So I decided to actually do a little research. Obviously you’ll need to change the specifics to match your setup.

The Initial Setup

-First-

Configure /etc/fstab to automount an NTFS partion by adding a line like this:

/dev/sdb1     /files     ntfs-3g     defaults     0    0
Then mount the partition by running the following command:
sudo mount -a

-Second-

Configure a Samba share by adding something like this to the end of /etc/samba/smb.conf:
[Videos]
path = /files/Videos
read only = yes
browseable = yes
guest ok = yes

Then restart Samba by running the following commands:
sudo service smb restart
sudo service nmb restart

-Third-

Configure the firewall by runnnig the following command:
system-config-firewall
Just check Samba and Samba Client under Trusted Services and clickApply.

The Problem

In my experience none of the above has been a problem.. and when I try to connect to the Samba share from a Windows PC I see the shared folder(s) but get an access denied error when trying to open the share.

Basic SELinux configuration isn’t that difficult. Right at the top of my smb.conf file it states:
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory

And chcon works great on regular files and directory I create but when I try tochcon anything in /files I get this error:
chcon: failed to change context of 'Videos' to 'system_u:object_r:samba_share_t:s0': Operation not supported
So to see the current security context of Videos I type:
ls -ldZ Videos
and get:
drwxrwxrwx. root root system_u:object_r:fusefs_t:s0 Videos
So at first it appears to be a system label problem and SELinux provides a way to get past that by running either:
sudo setsebool -P samba_export_all_ro on (read-only access)
sudo setsebool -P samba_export_all_rw on (read/write access)

This isn’t the most secure however as either of these would allow Samba to access any and all system folders/files, not just the NTFS shares.

The Solution

So it’s back to googling and finally I run accross a boolean to tell SELinux to allow Samba to share with FUSE using the following:
sudo setsebool -P samba_share_fusefs on
It turns out that FUSE is used to mount/read NTFS partitions (in Fedora at least) and requires it’s own security context type on the mounted NTFS files/folders. This may be something I should have known but it sure took a while to figure out and I couldn’t find a single obvious answer after a couple hours of searching. Hopefully someone else out there is having this problem and will find this akward post helpful!

Be kind if you respond as I’m just brushing back up on Linux and this is my first shot at Fedora or SELinux.

14 comments on “Sharing an NTFS partition with Samba and SELinux

  1. Scott says:

    Thanks pal — you are a legend. My primary server box (WHS v1) borked on the infamous acpitabl.dat hang, so am doing a bit of resuscitation using my (somewhat experimental) fedora 15 back up box.

    Anyways, long story short — this command made the files on ntfs disk visible.

    For anyone trying this command — it takes a minute to run, but don’t panic — it works.

    Lastly — WHS has broken one too many times (like at least 4 fails requiring sketchy bare metal reinstalls in 5 or 6 years of service) — so enough — primary and back up boxes will both be fedora.

    Thanks again for the post — everyone from the 5 year old to the wife has been complaining the house down.

  2. Carlos says:

    Thank you, thank you, thank you! Spent a few hours searching for a solution, and finally came across your post. Exactly what I needed to get my NTFS drive working with Samba.

    All the search results point to changing the context, which doesn’t seem to be supported for NTFS mounts.

    Awesome! Thanks again!

  3. jvalenzo says:

    Nice!!!

    The only solution for my problem, thank you very much!!

  4. Marco says:

    Thank you!!! Was searching for days in the jungle of solutions, this worked, awesome!!!

  5. adav84 says:

    thank you so much! It works!

  6. Seb says:

    this is it ! thank you very much, i can move and create folders within my shared drive

  7. Adam says:

    Thank you for this! It is little things like that which bug me with Linux. I have been using Linux since 1997 both at home and work and really like the freedom that comes with it. At the same time though… without this specific info I would have never got it working.

    setsebool -P samba_share_fusefs on

    That is the part I needed.

    • Silas says:

      Linux is amazing but sometimes it can be frustrating. I’ve definitely found little gems like this through other peoples blogs and I’m glad I was in turn able to help you!

  8. tariq says:

    Hey thanks a lot. It worked for me. Thanks again!!

  9. Juan says:

    This solved my problem, thx!

Leave a Reply to Marco Cancel reply

Your email address will not be published. Required fields are marked *