On Thu, 2006-04-06 at 14:04 -0400, Stephen Smalley wrote:
> On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote:
> > Ugh... I am too stupid to figure this out.
> >
> > Can someone give me some examples, step-by-step how I can do it?
> >
> > Steps perform IN ORDER listed:
> > 1) relabel /var/www
> > a) chcon -R -t public_content_t /var/www
> > b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical
> > PHP area)
> > 2) Local policy rules
> > a) ???? I have no clue how to do this step!
>
> If taking option (2), you don't need to relabel /var/www at all - leave
> it with the httpd* types. Instead, you just allow the domain in which
> samba runs to access the httpd content types. Try the following
> sequence:
> $ mkdir foo
> $ cd foo
> $ vi local.te
> <insert text below>
> policy_module(local, 1.0)
>
> require {
> attribute httpdcontent;
> type smbd_t;
> }
>
> allow smbd_t httpdcontent:dir create_dir_perms;
> allow smbd_t httpdcontent:{ file lnk_file } create_file_perms;
>
> :wq
> $ touch local.if local.fc
> $ make -f /usr/share/selinux/devel/Makefile
> Compliling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
>
> $ su
> Password:
> # semodule -i local.pp
>
> Then re-try accessing the /var/www content from samba, and if it still
> doesn't work, check your /var/log/messages files for avc: denied
> messages.
>
> Notes to others on cc list:
> 1) Should this already be supported under a boolean in the base policy?
> 2) If not (or even if so), do we need more general interfaces from
> apache to allow other domains to manage all httpd content types?
> 3) Did I really need to create empty .if and .fc files, or was there
> some way to suppress the need for them when I did the make?
> 4) Compliling isn't a word ;)
>
Uh oh... tried to follow your 2) example, and here is the results...
[root@copper ~]# mkdir foo
[root@copper ~]# cd foo
[root@copper foo]# ls
[root@copper foo]# vi local.te
[root@copper foo]# touch local.if local.fc
[root@copper foo]# make -f /usr/share/selinux/devel/Makefile
Compliling targeted local module
make: /usr/bin/checkmodule: Command not found
make: *** [tmp/local.mod] Error 127
[root@copper foo]#
Kind regards,
Dan
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
