CentOS - Jul 2016 - How to have more than on SELinux context on a directory

Hello,

I need to have the  tftpdir_rw_t  and  samba_share_t  SELinux context on
the same directory.

How can we do this? Is it feasible to have more than one SELinux context?

Thanks,
Bernard

On 07/05/2016 08:28 AM, Bernard Fay wrote:
> How can we do this? Is it feasible to have more than one SELinux context?

Not as far as I know.  You probably want to generate a local policy, 
using "audit2allow," to allow whatever workflow you're
implementing.

> I need to have the  tftpdir_rw_t  and  samba_share_t  SELinux context 
> on
> the same directory.
> 
> How can we do this? Is it feasible to have more than one SELinux 
> context?
I don't think it's possible/feasible.
You'd probably need to add a new type and necessary rules to your local 
policy.
Or add missing allow rules to an existing type (tftpdir_rw_t or 
samba_share_t).
Or use audit2allow to add necessary allow rules to an existing type.
Any of the above could be a major PITA.

????????? ???????? ????? 2016-07-05 19:58:
>> I need to have the  tftpdir_rw_t  and  samba_share_t  SELinux context 
>> on
>> the same directory.
>> 
>> How can we do this? Is it feasible to have more than one SELinux 
>> context?
> 
> I don't think it's possible/feasible.
> You'd probably need to add a new type and necessary rules to your local
> policy.
> Or add missing allow rules to an existing type (tftpdir_rw_t or 
> samba_share_t).
> Or use audit2allow to add necessary allow rules to an existing type.
> Any of the above could be a major PITA.
Some links and commands which might be useful if you really need this 
done:

http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types

# sesearch --help
# sesearch --allow -t samba_share_t
# sesearch --allow -t tftpdir_rw_t