[FC5] Samba and SELinux

Dan Thurman dant at cdkkt.com
Thu Apr 6 20:18:57 UTC 2006 

On Thu, 2006-04-06 at 14:04 -0400, Stephen Smalley wrote:
> On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote:
> > Ugh...  I am too stupid to figure this out.
> > 
> > Can someone give me some examples, step-by-step how I can do it?
> > 
> > Steps perform IN ORDER listed:
> > 1) relabel /var/www
> >    a) chcon -R -t public_content_t /var/www
> >    b) chcon -R -t public_content_rw_t /var/www/html/php  (hypothetical
> > PHP area)
> > 2) Local policy rules
> >    a) ????  I have no clue how to do this step!
> 
> If taking option (2), you don't need to relabel /var/www at all - leave
> it with the httpd* types.  Instead, you just allow the domain in which
> samba runs to access the httpd content types.   Try the following
> sequence:
> $ mkdir foo
> $ cd foo
> $ vi local.te
> <insert text below>
> policy_module(local, 1.0)
> 
> require {
>         attribute httpdcontent;
>         type smbd_t;
> }
> 
> allow smbd_t httpdcontent:dir create_dir_perms;
> allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;
> 
> :wq
> $ touch local.if local.fc
> $ make -f /usr/share/selinux/devel/Makefile
> Compliling targeted local module
> /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 5) to tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
> 
> $ su
> Password:
> # semodule -i local.pp
> 
> Then re-try accessing the /var/www content from samba, and if it still
> doesn't work, check your /var/log/messages files for avc:  denied
> messages.
> 
> Notes to others on cc list:
> 1) Should this already be supported under a boolean in the base policy?
> 2) If not (or even if so), do we need more general interfaces from
> apache to allow other domains to manage all httpd content types?
> 3) Did I really need to create empty .if and .fc files, or was there
> some way to suppress the need for them when I did the make?
> 4) Compliling isn't a word ;)
> 

Uh oh... tried to follow your 2) example, and here is the results...

[root at copper ~]# mkdir foo
[root at copper ~]# cd foo
[root at copper foo]# ls
[root at copper foo]# vi local.te
[root at copper foo]# touch local.if local.fc
[root at copper foo]# make -f /usr/share/selinux/devel/Makefile
Compliling targeted local module
make: /usr/bin/checkmodule: Command not found
make: *** [tmp/local.mod] Error 127
[root at copper foo]#

Kind regards,
Dan

More information about the fedora-selinux-list mailing list