[newbie] SELinux and the /srv directory

Paul Howarth paul at city-fan.org
Tue Aug 16 18:03:24 UTC 2005


On Tue, 2005-08-16 at 13:35 -0400, Daniel J Walsh wrote:
> Paul Howarth wrote:
> 
> > Razvan Sandu wrote:
> >
> >> Hello,
> >>
> >> Could you please help me solve the following matter regarding SELinux ?
> >>
> >> For a project I have in my enterprise, I put some files under the 
> >> /srv directory (let's call it "/srv/project" - it includes a lot of 
> >> subdirectories too).
> >>
> >> I did so because I learned from the FHS that this is the correct 
> >> place where I should put the files a server will serve (?)
> >>
> >> I want these files available to some Unix group, read/write in common 
> >> for the users in that group. *They must be accesible through Samba as 
> >> well as through FTP*.
> >>
> >> Now when I do a touch /.autorelabel; reboot, SELinux marks files in 
> >> /srv/project as system_u,object_r,var_t and users get a "permission 
> >> denied" when accesing them (at least via Samba). To solve that, I 
> >> manually changed to system_u,object_r,home_user_t, but this is less 
> >> than optimal.
> >>
> >>
> >> Would you please tell me the following:
> >>
> >> - is /srv/project the correct (canonical) place to keep these common 
> >> read/write work files or should I put them to /var/ftp/pub or other 
> >> place ?
> >
> >
> > Yes, it's the right place.
> >
> >> - what is the proper context such files should have ? Of course, I 
> >> don't want this context automatically modified each time I do an 
> >> automatic relabeling...
> >
> >
> > The current policy allows for this if you use the type ftpd_anon_rw_t 
> > for this data. There are then a set of booleans you can use to specify 
> > which daemons can write to this data:
> >
> > allow_ftpd_anon_write
> > allow_httpd_anon_write
> > allow_httpd_sys_script_anon_write
> > allow_rsync_anon_write
> > allow_smbd_anon_write
> >
> > So if you want to be able to write to these files using FTP and Samba, 
> > use:
> >
> > # setsebool -P allow_ftpd_anon_write 1
> > # setsebool -P allow_smbd_anon_write 1
> >
> >> - are specific policy rules/types necessary for the /srv directory 
> >> content ?
> >
> >
> > Yes; /srv is pretty well free-format so there are no predefined rules 
> > for it.
> >
> > Try creating /etc/selinux/targeted/contexts/files/file_contexts.local 
> > with the following entry:
> >
> > /srv/project(/.*)? system_u:object_r:ftpd_anon_rw_t
> >
> >> I think this should be of interest for many people - it's a 
> >> configuration for a standard fileserver...
> >
> >
> > That's what I thought too; until recently this facility wasn't available.
> >
> > Paul.
> >
> You do not need to add the line to file_contexts.local, since this is a 
> customizable type, a relabel should not change the context.

Thanks; I'd never come across a customizable type before.

How would new files created in such an area (e.g. using samba) be
labelled? Would they inherit the type of their parent directory, or
would the local rule be needed to handle that?

Paul.
-- 
Paul Howarth <paul at city-fan.org>




More information about the fedora-list mailing list