Paul Howarth wrote:
Razvan Sandu wrote:
Hello,
Could you please help me solve the following matter regarding SELinux ?
For a project I have in my enterprise, I put some files under the
/srv directory (let's call it "/srv/project" - it includes a lot of
subdirectories too).
I did so because I learned from the FHS that this is the correct
place where I should put the files a server will serve (?)
I want these files available to some Unix group, read/write in common
for the users in that group. *They must be accesible through Samba as
well as through FTP*.
Now when I do a touch /.autorelabel; reboot, SELinux marks files in
/srv/project as system_u,object_r,var_t and users get a "permission
denied" when accesing them (at least via Samba). To solve that, I
manually changed to system_u,object_r,home_user_t, but this is less
than optimal.
Would you please tell me the following:
- is /srv/project the correct (canonical) place to keep these common
read/write work files or should I put them to /var/ftp/pub or other
place ?
Yes, it's the right place.
- what is the proper context such files should have ? Of course, I
don't want this context automatically modified each time I do an
automatic relabeling...
The current policy allows for this if you use the type ftpd_anon_rw_t
for this data. There are then a set of booleans you can use to specify
which daemons can write to this data:
allow_ftpd_anon_write
allow_httpd_anon_write
allow_httpd_sys_script_anon_write
allow_rsync_anon_write
allow_smbd_anon_write
So if you want to be able to write to these files using FTP and Samba,
use:
# setsebool -P allow_ftpd_anon_write 1
# setsebool -P allow_smbd_anon_write 1
- are specific policy rules/types necessary for the /srv directory
content ?
Yes; /srv is pretty well free-format so there are no predefined rules
for it.
Try creating /etc/selinux/targeted/contexts/files/file_contexts.local
with the following entry:
/srv/project(/.*)? system_u:object_r:ftpd_anon_rw_t
I think this should be of interest for many people - it's a
configuration for a standard fileserver...
That's what I thought too; until recently this facility wasn't available.
Paul.
You do not need to add the line to file_contexts.local, since this is a
customizable type, a relabel should not change the context.
Dan
--
