On Mon, 2006-04-24 at 09:16 +1000, Robert Foster wrote: > Hi, > I have a directory structure that contains multiple web sites that I > also want shared out using samba to restricted users. I've just > upgraded to FC5 and worked most of the kinks out (including trying to > get Samba's net getlocalsid to talk to ldap properly, but that's > another story). > > current configuration: > > # ls -alZ /MV > gives: > drwsrws--- apache apache system_u:object_r:httpd_sys_content_t > webs > > however the samba shared directory is readonly for users browsing. > If I set the type to samba_share_t, apache can no longer read the > directory. > > This also has other implications. I have a directory in another share > (Archives/Repository) that is soft linked to a directory under a web > site so that users can copy files into it from a windows client and > have them available for download. > > I found a post by Stephen Smalley back in June last year that talks a > little about this issue: > http://www.redhat.com/archives/fedora-selinux-list/2005-June/msg00264.html > that suggested a possible fix by defining a new type allowing both > httpd and samba to access the files - with samba having permission to > write. > > Any ideas on whether this is likely to be added to a policy for FC5 in > the near future, and how can I fix this in the interim? I'd rather > not disable selinux if I can avoid it :) This was implemented quite a long time ago. Change the context type of the data to public_content_t (for read-only data) or public_content_rw_t for data that one of the daemons needs to be able to write. Then allow whichever daemons need write access to this data by setting the appropriate booleans: allow_ftpd_anon_write allow_httpd_anon_write allow_httpd_sys_script_anon_write allow_rsync_anon_write allow_smbd_anon_write So in your case you'd want: # setsebool -P allow_smbd_anon_write 1 Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
