On 07/08/09 11:24, Trevor Hemsley wrote:
I have a machine where I am trying to turn on selinux in enforcing mode - currently running in permissive mode while I sort out what's likely to stop working. On this machine I have both Samba and Apache. The Samba server has shares on a disk partition that's mounted on /share and I was getting AVCs for this so I used semanage and restorecon to mark all directories on there as context samba_share_t. Works great except that one directory on that share is also used by Apache and then I started getting AVCs for that dir whenever someone tried to access its content over http. Having done some reading I then tried to mark that directory as context public_content_t and that gets rid of the AVCs for http but I get them back for the Samba server instead :( The directory in question that resides on the /share partition is used by the Sophos Anti-Virus Enterprise Console to keep copies of all its install materials and locally cached copies of all the AV definition files. We have a Windows XP machine that runs the Enterprise Console and this updates the AV definitions on the Samba share about every 5 minutes - so Samba needs to have update access to the directory in question. For users outside the main office we also make the Sophos AV definitions available over https so Apache needs to be able to read the same directory that Samba can write to. Both Samba and Apache processes are running on the same machine and are accessing /share as a local file system. I can see booleans that let Apache access Samba shares as network drives but not as local file systems. These are the sort of AVCs I am currently getting and I'm now out of ideas about how to solve this. Does anyone have any suggestions please?
Label your directory (assuming it's called /share/sophos here) public_content_rw_t:
# semanage fcontext -a -t public_content_rw_t '/share/sophos(/.*)?' # restorecon -rF /share/sophos Give samba write access to public_content_rw_t: # setsebool -P allow_smbd_anon_write=1 Cheers, Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
