On Tue, 2005-08-16 at 21:36 -0400, Daniel J Walsh wrote: > Razvan Sandu wrote: > > > Hello, > > > > > > Thanks to all of you for your responses about /srv ! > > > > Just one more detail, to be precise: > > I don't want those files to be read/written by *anyone* (i.e. > > anonymously), but just one predefined > > group of users (/srv/project has sgid to that group, etc.). > > > > Should I still use the booleans you've mentioned ? > > > > Is there a piece of doc that contains a complete list of those SELinux > > booleans, with detalied explanations about each one, in order to do > > various such customizations ? > > > No, not yet. They are somewhat explained in ftpd_selinux.8. Having > only one group access them is a DAC requirement. MAC will protect the > files from other processes. In other words, use standard Unix/Linux group permissions to handle that requirement :-) SELinux will restrict which processes can write to this data, regular permissions will restrict which users can do so. Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>
