Paul Howarth wrote:
On Tue, 2005-08-16 at 13:35 -0400, Daniel J Walsh wrote:
Paul Howarth wrote:
Razvan Sandu wrote:
Hello,
Could you please help me solve the following matter regarding SELinux ?
For a project I have in my enterprise, I put some files under the
/srv directory (let's call it "/srv/project" - it includes a lot of
subdirectories too).
I did so because I learned from the FHS that this is the correct
place where I should put the files a server will serve (?)
I want these files available to some Unix group, read/write in common
for the users in that group. *They must be accesible through Samba as
well as through FTP*.
Now when I do a touch /.autorelabel; reboot, SELinux marks files in
/srv/project as system_u,object_r,var_t and users get a "permission
denied" when accesing them (at least via Samba). To solve that, I
manually changed to system_u,object_r,home_user_t, but this is less
than optimal.
Would you please tell me the following:
- is /srv/project the correct (canonical) place to keep these common
read/write work files or should I put them to /var/ftp/pub or other
place ?
Yes, it's the right place.
- what is the proper context such files should have ? Of course, I
don't want this context automatically modified each time I do an
automatic relabeling...
The current policy allows for this if you use the type ftpd_anon_rw_t
for this data. There are then a set of booleans you can use to specify
which daemons can write to this data:
allow_ftpd_anon_write
allow_httpd_anon_write
allow_httpd_sys_script_anon_write
allow_rsync_anon_write
allow_smbd_anon_write
So if you want to be able to write to these files using FTP and Samba,
use:
# setsebool -P allow_ftpd_anon_write 1
# setsebool -P allow_smbd_anon_write 1
- are specific policy rules/types necessary for the /srv directory
content ?
Yes; /srv is pretty well free-format so there are no predefined rules
for it.
Try creating /etc/selinux/targeted/contexts/files/file_contexts.local
with the following entry:
/srv/project(/.*)? system_u:object_r:ftpd_anon_rw_t
I think this should be of interest for many people - it's a
configuration for a standard fileserver...
That's what I thought too; until recently this facility wasn't available.
Paul.
You do not need to add the line to file_contexts.local, since this is a
customizable type, a relabel should not change the context.
Thanks; I'd never come across a customizable type before.
How would new files created in such an area (e.g. using samba) be
labelled? Would they inherit the type of their parent directory, or
would the local rule be needed to handle that?
Paul.
They inherit the directory.
--
