SELinux + NTFS Samba share problem/workaround.

Alright, I have samba configured and running with selinux. I followed the tutorial listed here:

Shares mounted at /mnt/data work fine with selinux enabled.

The problem is that I have another sata drive mounted at /media/MegaDisk (so that it will display in the FileManager sidebar) does not, even after configuring the same way as in the tutorial.

This /media/MegaDisk shares fine with "setenforce 0" so smb.conf, firewall, et al are set up correctly. The problem appears to be isolated to selinux setup.

This drive is NTFS if that makes a difference.

When I run, for example:

sudo semanage fcontext -a -t samba_share_t  /media/MegaDisk/"Library(/.*)?"

the command appears to run and then drop back to the prompt. But following with:

sudo restorecon -R -v /media/MegaDisk/Library/

there are no context labels (which visibly scroll in the terminal for the /mnt/data shares and are also viewable in the FM properties)

So, the samba_share_t label is not being applied to any share on this drive for some reason. Yes I've searched.. and searched... and searched again... I'm probably missing something obvious which is eluding me in plain sight. The first drive was shared properly within minutes.. I've been dealing with the second for a couple of hours now.

Thanks in advance for and tips, pointers, prayers, animal sacrifices, protection spells, etc..

2 Answers

answered 2015-01-31 01:36:08 -0500

I had the same issue sometime ago. Like the previous answer said, NTFS filesystems do not support SELINUX attributes. If you are automatically mounting the SATA drive at boot, it will appear in the fstab file. The solution (while keeping SELINUX enforcing) is to add the following to the SATA drive entry in the fstab file: context=system_u:object_r:samba_share_t:s0

You can use either the terminal with gedit or your favourite text-editor or the gnome-disks GUI. The samba share should work after remounting the drive.


This is a good one! Didn't thought of this solution when posting my answer. (So this one should be marked as correct answer instead of mine.)

Nice answer!

Yeah well, I can't take the credit. When I had the same issue, it took me some serious Googling to find the link I posted. It wasn't my solution but it worked for me.

yep, this rocks... much appreciated!

answered 2015-01-29 15:04:33 -0500

AFAIK you can't add SELinux contexts to a NTFS file system.

Thanks. That would explain it. I'm not yet familiar enough with settings, quirks, etc. Perhaps there's a workaround other than tossing it out completely with setenforce 0.

I think that semanage permissive -a smbd_t, ie don't police samba, is probably your second best option. Using a compatible filesystem is a better option.

That works well for this purpose. Yeah, a compatible filesystem would be the ideal solution. The combination of TB's of data and the "ahh.. god this is gonna take foreever" factors make procrastination an attractive alternative. :-)

I'll edit the thread title to better reflect the situation.

