Shared data area

Nicklas Norling exinor at exinor.net
Thu Jul 21 14:09:49 UTC 2005 

Paul Howarth wrote:

>On Wed, 2005-07-20 at 13:34 -0400, Daniel J Walsh wrote:
>  
>
>>Paul Howarth wrote:
>>
>>    
>>
>>>Daniel J Walsh wrote:
>>>
>>>      
>>>
>>>>Paul Howarth wrote:
>>>>
>>>>        
>>>>
>>>>>On Tue, 2005-07-19 at 13:12 +0200, Nicklas Norling wrote:
>>>>> 
>>>>>
>>>>>          
>>>>>
>>>>>>I would encourage a boolean for shared data location. I think 
>>>>>>labeling a folder and it's subcontent with a specific label and 
>>>>>>then have different services be able to use it might be a start. 
>>>>>>That way I could disallow smb the rights but allow ftpd and httpd 
>>>>>>(as an example). I think that would be a great improvment from my 
>>>>>>point of view.
>>>>>>  
>>>>>>            
>>>>>>
>>>>>
>>>>>I think this is a great idea. I have a file server at home where I 
>>>>>stick
>>>>>all the software I've downloaded, some for Linux and some for Windows.
>>>>>The Windows box accesses the area using samba and Linux uses httpd as
>>>>>I've set up a local yum repo for the Linux software. So in Niklas' idea
>>>>>I'd be enabling httpd and smb for this and not ftp.
>>>>>
>>>>>This type might be a good one to use for everything under /srv...
>>>>>
>>>>>Paul.
>>>>> 
>>>>>
>>>>>          
>>>>>
>>>>Ok.  I am allowing ftpd, samba, apache and/or apache scripts, rsync 
>>>>to read ftpd_anon_t.
>>>>
>>>>So if you want files shared by these services, you can change the 
>>>>context to ftpd_anon_t.
>>>>        
>>>>
>>>Would it not be better to create a new type for a shared data area 
>>>(e.g. srv_data_t), with booleans allowing read/write access to this 
>>>data for each daemon, rather than overloading an existing type? After 
>>>all, some process has to set up this data area, and for some people 
>>>that will be done using ftp, some sftp, some rsync, some samba etc...
>>>
>>>      
>>>
>>I could do that, but I was already sharing the type between rsync and 
>>ftp.  Basically I think of this type, as data available on the network 
>>requiring no authorization to read or for ftpd_anon_rw_t, to write.  
>>Creating a bunch of booleans for each daemon that might use the type, 
>>seems like a complexity for limited additional security.  If I have a 
>>server running apache and ftpd, I can't see what the difference if 
>>allowing them to read the data via the ftp protocol, but not via the 
>>http protocol.  But I am willing to be persuaded.
>>    
>>
>
>I'd agree on the read side of the discussion. But if you want to
>maintain this data area using, say, rsync, then you'd need to use
>ftpd_anon_rw_t to enable writing in the first place, and that would then
>open up the area to be written by *all* of the daemons unless there were
>separate write-enable booleans for each daemon. I can certainly see
>benefits in doing that.
>
>Paul.
>  
>
I suppose one could argue that the daemon in question should be set up 
correctly. read-only or read-write as appropriate. Selinux should not do 
the applications job or there would be dual systems to keep in sync when 
policies changes. But I do see your point. I'm afraid I don't know 
enough about selinux to comment further. Just wanteded to play the 
devils advocate for awhile.
/Nicke

More information about the fedora-selinux-list mailing list