Samba file server

[Colin Walters]

On Fri, 2005-01-07 at 13:29 -0700, Ivan Gyurdiev wrote:

> That sounds like a hack. This isn't a home directory so why
> should I label it as such. It's a bunch of common files.

Well, that's currently the type we use for data that users can modify.
It may be a bit weird given the name, but if from a security perspective
the files elsewhere are equivalent to the user's $HOME, then giving them
the same label makes sense.

> Part of the problem in my mind is that I do not know what
> the SElinux types are, which ones I need to do what I want,
> and how to add new ones to perform this simple task. 

Right; this is something that should definitely be documented somewhere.
Both the purpose of existing types, as well as how to add new ones for
specific purposes.

> Consider traditional UNIX permissions. There's a straightforward
> procedure for doing what I want. I create a group called data.
> I put whoever I want in it (user1, user2, user3, httpd..). Then 
> I chgrp /data with that. Nice and simple. 

Offtopic, but: you really want to use ACLs instead of groups; much
simpler then mucking about with groups.

> I forget what smbd does - I
> think it checks to see if the UNIX user that you're logged in with
> has access to that folder.

It uses setfsuid, IIRC.

> What's the SElinux equivalent? 

You create a new type:

type foodata_t, file_type, sysadmfile;

Then grant permissions from other domains to it:

r_dir_file(user1_t, foodata_t)
create_dir_file(user2_t, foodata_t)
create_dir_file(samba_t, foodata_t)