[newbie] SELinux and the /srv directory

Daniel J Walsh dwalsh at redhat.com
Wed Aug 17 01:34:24 UTC 2005 

Paul Howarth wrote:

>On Tue, 2005-08-16 at 13:35 -0400, Daniel J Walsh wrote:
>  
>
>>Paul Howarth wrote:
>>
>>    
>>
>>>Razvan Sandu wrote:
>>>
>>>      
>>>
>>>>Hello,
>>>>
>>>>Could you please help me solve the following matter regarding SELinux ?
>>>>
>>>>For a project I have in my enterprise, I put some files under the 
>>>>/srv directory (let's call it "/srv/project" - it includes a lot of 
>>>>subdirectories too).
>>>>
>>>>I did so because I learned from the FHS that this is the correct 
>>>>place where I should put the files a server will serve (?)
>>>>
>>>>I want these files available to some Unix group, read/write in common 
>>>>for the users in that group. *They must be accesible through Samba as 
>>>>well as through FTP*.
>>>>
>>>>Now when I do a touch /.autorelabel; reboot, SELinux marks files in 
>>>>/srv/project as system_u,object_r,var_t and users get a "permission 
>>>>denied" when accesing them (at least via Samba). To solve that, I 
>>>>manually changed to system_u,object_r,home_user_t, but this is less 
>>>>than optimal.
>>>>
>>>>
>>>>Would you please tell me the following:
>>>>
>>>>- is /srv/project the correct (canonical) place to keep these common 
>>>>read/write work files or should I put them to /var/ftp/pub or other 
>>>>place ?
>>>>        
>>>>
>>>Yes, it's the right place.
>>>
>>>      
>>>
>>>>- what is the proper context such files should have ? Of course, I 
>>>>don't want this context automatically modified each time I do an 
>>>>automatic relabeling...
>>>>        
>>>>
>>>The current policy allows for this if you use the type ftpd_anon_rw_t 
>>>for this data. There are then a set of booleans you can use to specify 
>>>which daemons can write to this data:
>>>
>>>allow_ftpd_anon_write
>>>allow_httpd_anon_write
>>>allow_httpd_sys_script_anon_write
>>>allow_rsync_anon_write
>>>allow_smbd_anon_write
>>>
>>>So if you want to be able to write to these files using FTP and Samba, 
>>>use:
>>>
>>># setsebool -P allow_ftpd_anon_write 1
>>># setsebool -P allow_smbd_anon_write 1
>>>
>>>      
>>>
>>>>- are specific policy rules/types necessary for the /srv directory 
>>>>content ?
>>>>        
>>>>
>>>Yes; /srv is pretty well free-format so there are no predefined rules 
>>>for it.
>>>
>>>Try creating /etc/selinux/targeted/contexts/files/file_contexts.local 
>>>with the following entry:
>>>
>>>/srv/project(/.*)? system_u:object_r:ftpd_anon_rw_t
>>>
>>>      
>>>
>>>>I think this should be of interest for many people - it's a 
>>>>configuration for a standard fileserver...
>>>>        
>>>>
>>>That's what I thought too; until recently this facility wasn't available.
>>>
>>>Paul.
>>>
>>>      
>>>
>>You do not need to add the line to file_contexts.local, since this is a 
>>customizable type, a relabel should not change the context.
>>    
>>
>
>Thanks; I'd never come across a customizable type before.
>
>How would new files created in such an area (e.g. using samba) be
>labelled? Would they inherit the type of their parent directory, or
>would the local rule be needed to handle that?
>
>Paul.
>  
>
They inherit the directory.

--

More information about the fedora-list mailing list