Re: How to have more than on SELinux context on a directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

If I understand well, I could add a type to another type?!?!?!


No.
The default targeted policy is mostly about Type Enforcement. Quote from the manual:
"All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it."
You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label the files in your shared directory and defined necessary rules to allow access to these files by processes running in certain confined domains. These new rules would most likely include a subset of rules already defined in the default policy for samba_share_t and tftpdir_rw_t types.
I've never added a new type myself and cannot really elaborate any further on the subject.
An easier approach would be to add missing access rules for already existing file type (either samba_share_t or tftpdir_rw_t).
BTW have you really tried to access files labelled with tftpdir_rw_t via samba or vise versa? There's already a number of rules in the default policy which allow ftp access to samba shares and smb/nmb access to files labelled with tftpdir_rw_t. Eg 

# sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp
allow ftpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
May be the needed functionality is already there and all this discussion is the equivalent of shooting a gun on sparrows. 

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux