On Fri, 2005-01-07 at 13:29 -0700, Ivan Gyurdiev wrote: > That sounds like a hack. This isn't a home directory so why > should I label it as such. It's a bunch of common files. Well, that's currently the type we use for data that users can modify. It may be a bit weird given the name, but if from a security perspective the files elsewhere are equivalent to the user's $HOME, then giving them the same label makes sense. > Part of the problem in my mind is that I do not know what > the SElinux types are, which ones I need to do what I want, > and how to add new ones to perform this simple task. Right; this is something that should definitely be documented somewhere. Both the purpose of existing types, as well as how to add new ones for specific purposes. > Consider traditional UNIX permissions. There's a straightforward > procedure for doing what I want. I create a group called data. > I put whoever I want in it (user1, user2, user3, httpd..). Then > I chgrp /data with that. Nice and simple. Offtopic, but: you really want to use ACLs instead of groups; much simpler then mucking about with groups. > I forget what smbd does - I > think it checks to see if the UNIX user that you're logged in with > has access to that folder. It uses setfsuid, IIRC. > What's the SElinux equivalent? You create a new type: type foodata_t, file_type, sysadmfile; Then grant permissions from other domains to it: r_dir_file(user1_t, foodata_t) create_dir_file(user2_t, foodata_t) create_dir_file(samba_t, foodata_t)
