Daniel J Walsh wrote:
Paul Howarth wrote:
On Tue, 2005-07-19 at 13:12 +0200, Nicklas Norling wrote:
I would encourage a boolean for shared data location. I think
labeling a folder and it's subcontent with a specific label and then
have different services be able to use it might be a start. That way
I could disallow smb the rights but allow ftpd and httpd (as an
example). I think that would be a great improvment from my point of
view.
I think this is a great idea. I have a file server at home where I stick
all the software I've downloaded, some for Linux and some for Windows.
The Windows box accesses the area using samba and Linux uses httpd as
I've set up a local yum repo for the Linux software. So in Niklas' idea
I'd be enabling httpd and smb for this and not ftp.
This type might be a good one to use for everything under /srv...
Paul.
Ok. I am allowing ftpd, samba, apache and/or apache scripts, rsync to
read ftpd_anon_t.
So if you want files shared by these services, you can change the
context to ftpd_anon_t.
Would it not be better to create a new type for a shared data area (e.g.
srv_data_t), with booleans allowing read/write access to this data for
each daemon, rather than overloading an existing type? After all, some
process has to set up this data area, and for some people that will be
done using ftp, some sftp, some rsync, some samba etc...
Obviously this is much harder to do but I thought I'd ask anyway :-)
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
