CentOS - Jul 2016 - How to have more than on SELinux context on a directory

????????? ???????? ????? 2016-07-05 19:58:
>> I need to have the  tftpdir_rw_t  and  samba_share_t  SELinux context 
>> on
>> the same directory.
>> 
>> How can we do this? Is it feasible to have more than one SELinux 
>> context?
> 
> I don't think it's possible/feasible.
> You'd probably need to add a new type and necessary rules to your local
> policy.
> Or add missing allow rules to an existing type (tftpdir_rw_t or 
> samba_share_t).
> Or use audit2allow to add necessary allow rules to an existing type.
> Any of the above could be a major PITA.
Some links and commands which might be useful if you really need this 
done:

http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types

# sesearch --help
# sesearch --allow -t samba_share_t
# sesearch --allow -t tftpdir_rw_t

If I understand well, I could add a type to another type?!?!?!   If that is
the case, I did not know about it.... like many things in the SELinux
world. It is so complex and so badly documented.  :-(




On Tue, Jul 5, 2016 at 1:24 PM, ????????? ???????? <nevis2us at
infoline.su>
wrote:
> ????????? ???????? ????? 2016-07-05 19:58:
>
>> I need to have the  tftpdir_rw_t  and  samba_share_t  SELinux context
on
>>> the same directory.
>>>
>>> How can we do this? Is it feasible to have more than one SELinux
context?
>>>
>>
>> I don't think it's possible/feasible.
>> You'd probably need to add a new type and necessary rules to your
local
>> policy.
>> Or add missing allow rules to an existing type (tftpdir_rw_t or
>> samba_share_t).
>> Or use audit2allow to add necessary allow rules to an existing type.
>> Any of the above could be a major PITA.
>>
>
> Some links and commands which might be useful if you really need this done:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types
>
> # sesearch --help
> # sesearch --allow -t samba_share_t
> # sesearch --allow -t tftpdir_rw_t
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

2016-07-06 14:30 GMT+03:00 Bernard Fay <bernard.fay at gmail.com>:
> If I understand well, I could add a type to another type?!?!?!   If that is
> the case, I did not know about it.... like many things in the SELinux
> world. It is so complex and so badly documented.  :-(
>
>
>
Poorly? Just read the documents:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/

and google "selinux rhel" ..

--
Eero

On 07/06/2016 04:30 AM, Bernard Fay wrote:
> It is so complex and so badly documented.

It is fairly complex, but I don't think it's badly documented.

http://selinuxproject.org/page/Main_Page

> If I understand well, I could add a type to another type?!?!?!
No.

The default targeted policy is mostly about Type Enforcement. Quote from 
the manual:

"All files and processes are labeled with a type: types define a SELinux 
domain for processes and a SELinux type for files. SELinux policy rules 
define how types access each other, whether it be a domain accessing a 
type, or a domain accessing another domain. Access is only allowed if a 
specific SELinux policy rule exists that allows it."

You could have added a new type (eg tftpdir_rw_and_samba_share_t) to 
label the files in your shared directory and defined necessary rules to 
allow access to these files by processes running in certain confined 
domains. These new rules would most likely include a subset of rules 
already defined in the default policy for samba_share_t and tftpdir_rw_t 
types.

I've never added a new type myself and cannot really elaborate any 
further on the subject.

An easier approach would be to add missing access rules for already 
existing file type (either samba_share_t or tftpdir_rw_t).

BTW have you really tried to access files labelled with tftpdir_rw_t via 
samba or vise versa? There's already a number of rules in the default 
policy which allow ftp access to samba shares and smb/nmb access to 
files labelled with tftpdir_rw_t. Eg

# sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp
    allow ftpd_t samba_share_t : file { ioctl read write create getattr 
setattr lock append unlink link rename open } ;
    allow ftpd_t samba_share_t : dir { ioctl read write create getattr 
setattr lock unlink link rename add_name remove_name reparent search 
rmdir open } ;
    allow ftpd_t samba_share_t : lnk_file { ioctl read write create 
getattr setattr lock append unlink link rename } ;
    allow ftpd_t samba_share_t : sock_file { ioctl read write create 
getattr setattr lock append unlink link rename open } ;
    allow ftpd_t samba_share_t : fifo_file { ioctl read write create 
getattr setattr lock append unlink link rename open } ;

May be the needed functionality is already there and all this discussion 
is the equivalent of shooting a gun on sparrows.