[newbie] SELinux and the /srv directory
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 17 01:34:24 UTC 2005
Paul Howarth wrote:
>On Tue, 2005-08-16 at 13:35 -0400, Daniel J Walsh wrote:
>
>
>>Paul Howarth wrote:
>>
>>
>>
>>>Razvan Sandu wrote:
>>>
>>>
>>>
>>>>Hello,
>>>>
>>>>Could you please help me solve the following matter regarding SELinux ?
>>>>
>>>>For a project I have in my enterprise, I put some files under the
>>>>/srv directory (let's call it "/srv/project" - it includes a lot of
>>>>subdirectories too).
>>>>
>>>>I did so because I learned from the FHS that this is the correct
>>>>place where I should put the files a server will serve (?)
>>>>
>>>>I want these files available to some Unix group, read/write in common
>>>>for the users in that group. *They must be accesible through Samba as
>>>>well as through FTP*.
>>>>
>>>>Now when I do a touch /.autorelabel; reboot, SELinux marks files in
>>>>/srv/project as system_u,object_r,var_t and users get a "permission
>>>>denied" when accesing them (at least via Samba). To solve that, I
>>>>manually changed to system_u,object_r,home_user_t, but this is less
>>>>than optimal.
>>>>
>>>>
>>>>Would you please tell me the following:
>>>>
>>>>- is /srv/project the correct (canonical) place to keep these common
>>>>read/write work files or should I put them to /var/ftp/pub or other
>>>>place ?
>>>>
>>>>
>>>Yes, it's the right place.
>>>
>>>
>>>
>>>>- what is the proper context such files should have ? Of course, I
>>>>don't want this context automatically modified each time I do an
>>>>automatic relabeling...
>>>>
>>>>
>>>The current policy allows for this if you use the type ftpd_anon_rw_t
>>>for this data. There are then a set of booleans you can use to specify
>>>which daemons can write to this data:
>>>
>>>allow_ftpd_anon_write
>>>allow_httpd_anon_write
>>>allow_httpd_sys_script_anon_write
>>>allow_rsync_anon_write
>>>allow_smbd_anon_write
>>>
>>>So if you want to be able to write to these files using FTP and Samba,
>>>use:
>>>
>>># setsebool -P allow_ftpd_anon_write 1
>>># setsebool -P allow_smbd_anon_write 1
>>>
>>>
>>>
>>>>- are specific policy rules/types necessary for the /srv directory
>>>>content ?
>>>>
>>>>
>>>Yes; /srv is pretty well free-format so there are no predefined rules
>>>for it.
>>>
>>>Try creating /etc/selinux/targeted/contexts/files/file_contexts.local
>>>with the following entry:
>>>
>>>/srv/project(/.*)? system_u:object_r:ftpd_anon_rw_t
>>>
>>>
>>>
>>>>I think this should be of interest for many people - it's a
>>>>configuration for a standard fileserver...
>>>>
>>>>
>>>That's what I thought too; until recently this facility wasn't available.
>>>
>>>Paul.
>>>
>>>
>>>
>>You do not need to add the line to file_contexts.local, since this is a
>>customizable type, a relabel should not change the context.
>>
>>
>
>Thanks; I'd never come across a customizable type before.
>
>How would new files created in such an area (e.g. using samba) be
>labelled? Would they inherit the type of their parent directory, or
>would the local rule be needed to handle that?
>
>Paul.
>
>
They inherit the directory.
--
More information about the fedora-list
mailing list