[newbie] SELinux and the /srv directory

Paul Howarth paul at city-fan.org
Tue Aug 16 09:10:12 UTC 2005


Razvan Sandu wrote:
> Hello,
> 
> Could you please help me solve the following matter regarding SELinux ?
> 
> For a project I have in my enterprise, I put some files under the /srv 
> directory (let's call it "/srv/project" - it includes a lot of 
> subdirectories too).
> 
> I did so because I learned from the FHS that this is the correct place 
> where I should put the files a server will serve (?)
> 
> I want these files available to some Unix group, read/write in common 
> for the users in that group. *They must be accesible through Samba as 
> well as through FTP*.
> 
> Now when I do a touch /.autorelabel; reboot, SELinux marks files in 
> /srv/project as system_u,object_r,var_t and users get a "permission 
> denied" when accesing them (at least via Samba). To solve that, I 
> manually changed to system_u,object_r,home_user_t, but this is less than 
> optimal.
> 
> 
> Would you please tell me the following:
> 
> - is /srv/project the correct (canonical) place to keep these common 
> read/write work files or should I put them to /var/ftp/pub or other place ?

Yes, it's the right place.

> - what is the proper context such files should have ? Of course, I don't 
> want this context automatically modified each time I do an automatic 
> relabeling...

The current policy allows for this if you use the type ftpd_anon_rw_t 
for this data. There are then a set of booleans you can use to specify 
which daemons can write to this data:

allow_ftpd_anon_write
allow_httpd_anon_write
allow_httpd_sys_script_anon_write
allow_rsync_anon_write
allow_smbd_anon_write

So if you want to be able to write to these files using FTP and Samba, use:

# setsebool -P allow_ftpd_anon_write 1
# setsebool -P allow_smbd_anon_write 1

> - are specific policy rules/types necessary for the /srv directory 
> content ?

Yes; /srv is pretty well free-format so there are no predefined rules 
for it.

Try creating /etc/selinux/targeted/contexts/files/file_contexts.local 
with the following entry:

/srv/project(/.*)? system_u:object_r:ftpd_anon_rw_t

> I think this should be of interest for many people - it's a 
> configuration for a standard fileserver...

That's what I thought too; until recently this facility wasn't available.

Paul.




More information about the fedora-list mailing list