[newbie] SELinux and the /srv directory

Daniel J Walsh dwalsh at redhat.com
Tue Aug 16 17:35:04 UTC 2005 

Paul Howarth wrote:

> Razvan Sandu wrote:
>
>> Hello,
>>
>> Could you please help me solve the following matter regarding SELinux ?
>>
>> For a project I have in my enterprise, I put some files under the 
>> /srv directory (let's call it "/srv/project" - it includes a lot of 
>> subdirectories too).
>>
>> I did so because I learned from the FHS that this is the correct 
>> place where I should put the files a server will serve (?)
>>
>> I want these files available to some Unix group, read/write in common 
>> for the users in that group. *They must be accesible through Samba as 
>> well as through FTP*.
>>
>> Now when I do a touch /.autorelabel; reboot, SELinux marks files in 
>> /srv/project as system_u,object_r,var_t and users get a "permission 
>> denied" when accesing them (at least via Samba). To solve that, I 
>> manually changed to system_u,object_r,home_user_t, but this is less 
>> than optimal.
>>
>>
>> Would you please tell me the following:
>>
>> - is /srv/project the correct (canonical) place to keep these common 
>> read/write work files or should I put them to /var/ftp/pub or other 
>> place ?
>
>
> Yes, it's the right place.
>
>> - what is the proper context such files should have ? Of course, I 
>> don't want this context automatically modified each time I do an 
>> automatic relabeling...
>
>
> The current policy allows for this if you use the type ftpd_anon_rw_t 
> for this data. There are then a set of booleans you can use to specify 
> which daemons can write to this data:
>
> allow_ftpd_anon_write
> allow_httpd_anon_write
> allow_httpd_sys_script_anon_write
> allow_rsync_anon_write
> allow_smbd_anon_write
>
> So if you want to be able to write to these files using FTP and Samba, 
> use:
>
> # setsebool -P allow_ftpd_anon_write 1
> # setsebool -P allow_smbd_anon_write 1
>
>> - are specific policy rules/types necessary for the /srv directory 
>> content ?
>
>
> Yes; /srv is pretty well free-format so there are no predefined rules 
> for it.
>
> Try creating /etc/selinux/targeted/contexts/files/file_contexts.local 
> with the following entry:
>
> /srv/project(/.*)? system_u:object_r:ftpd_anon_rw_t
>
>> I think this should be of interest for many people - it's a 
>> configuration for a standard fileserver...
>
>
> That's what I thought too; until recently this facility wasn't available.
>
> Paul.
>
You do not need to add the line to file_contexts.local, since this is a 
customizable type, a relabel should not change the context.

Dan

--

More information about the fedora-list mailing list