Samba file server
Colin Walters
walters at redhat.com
Fri Jan 7 20:52:27 UTC 2005
On Fri, 2005-01-07 at 13:29 -0700, Ivan Gyurdiev wrote:
> That sounds like a hack. This isn't a home directory so why
> should I label it as such. It's a bunch of common files.
Well, that's currently the type we use for data that users can modify.
It may be a bit weird given the name, but if from a security perspective
the files elsewhere are equivalent to the user's $HOME, then giving them
the same label makes sense.
> Part of the problem in my mind is that I do not know what
> the SElinux types are, which ones I need to do what I want,
> and how to add new ones to perform this simple task.
Right; this is something that should definitely be documented somewhere.
Both the purpose of existing types, as well as how to add new ones for
specific purposes.
> Consider traditional UNIX permissions. There's a straightforward
> procedure for doing what I want. I create a group called data.
> I put whoever I want in it (user1, user2, user3, httpd..). Then
> I chgrp /data with that. Nice and simple.
Offtopic, but: you really want to use ACLs instead of groups; much
simpler then mucking about with groups.
> I forget what smbd does - I
> think it checks to see if the UNIX user that you're logged in with
> has access to that folder.
It uses setfsuid, IIRC.
> What's the SElinux equivalent?
You create a new type:
type foodata_t, file_type, sysadmfile;
Then grant permissions from other domains to it:
r_dir_file(user1_t, foodata_t)
create_dir_file(user2_t, foodata_t)
create_dir_file(samba_t, foodata_t)
More information about the fedora-selinux-list
mailing list