[FC5] Samba and SELinux

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 6 18:04:14 UTC 2006

On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote:
> Ugh...  I am too stupid to figure this out.
> Can someone give me some examples, step-by-step how I can do it?
> Steps perform IN ORDER listed:
> 1) relabel /var/www
>    a) chcon -R -t public_content_t /var/www
>    b) chcon -R -t public_content_rw_t /var/www/html/php  (hypothetical
> PHP area)
> 2) Local policy rules
>    a) ????  I have no clue how to do this step!

If taking option (2), you don't need to relabel /var/www at all - leave
it with the httpd* types.  Instead, you just allow the domain in which
samba runs to access the httpd content types.   Try the following
$ mkdir foo
$ cd foo
$ vi local.te
<insert text below>
policy_module(local, 1.0)

require {
        attribute httpdcontent;
        type smbd_t;

allow smbd_t httpdcontent:dir create_dir_perms;
allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;

$ touch local.if local.fc
$ make -f /usr/share/selinux/devel/Makefile
Compliling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to tmp/local.mod
Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod

$ su
# semodule -i local.pp

Then re-try accessing the /var/www content from samba, and if it still
doesn't work, check your /var/log/messages files for avc:  denied

Notes to others on cc list:
1) Should this already be supported under a boolean in the base policy?
2) If not (or even if so), do we need more general interfaces from
apache to allow other domains to manage all httpd content types?
3) Did I really need to create empty .if and .fc files, or was there
some way to suppress the need for them when I did the make?
4) Compliling isn't a word ;)

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list