If I understand well, I could add a type to another type?!?!?!
No.
The default targeted policy is mostly about Type Enforcement. Quote from
the manual:
"All files and processes are labeled with a type: types define a SELinux
domain for processes and a SELinux type for files. SELinux policy rules
define how types access each other, whether it be a domain accessing a
type, or a domain accessing another domain. Access is only allowed if a
specific SELinux policy rule exists that allows it."
You could have added a new type (eg tftpdir_rw_and_samba_share_t) to
label the files in your shared directory and defined necessary rules to
allow access to these files by processes running in certain confined
domains. These new rules would most likely include a subset of rules
already defined in the default policy for samba_share_t and tftpdir_rw_t
types.
I've never added a new type myself and cannot really elaborate any
further on the subject.
An easier approach would be to add missing access rules for already
existing file type (either samba_share_t or tftpdir_rw_t).
BTW have you really tried to access files labelled with tftpdir_rw_t via
samba or vise versa? There's already a number of rules in the default
policy which allow ftp access to samba shares and smb/nmb access to
files labelled with tftpdir_rw_t. Eg
# sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp
allow ftpd_t samba_share_t : file { ioctl read write create getattr
setattr lock append unlink link rename open } ;
allow ftpd_t samba_share_t : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search
rmdir open } ;
allow ftpd_t samba_share_t : lnk_file { ioctl read write create
getattr setattr lock append unlink link rename } ;
allow ftpd_t samba_share_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow ftpd_t samba_share_t : fifo_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
May be the needed functionality is already there and all this discussion
is the equivalent of shooting a gun on sparrows.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos