Александр Кириллов
2016-Jul-06 15:07 UTC
[CentOS] How to have more than on SELinux context on a directory
> If I understand well, I could add a type to another type?!?!?!No. The default targeted policy is mostly about Type Enforcement. Quote from the manual: "All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it." You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label the files in your shared directory and defined necessary rules to allow access to these files by processes running in certain confined domains. These new rules would most likely include a subset of rules already defined in the default policy for samba_share_t and tftpdir_rw_t types. I've never added a new type myself and cannot really elaborate any further on the subject. An easier approach would be to add missing access rules for already existing file type (either samba_share_t or tftpdir_rw_t). BTW have you really tried to access files labelled with tftpdir_rw_t via samba or vise versa? There's already a number of rules in the default policy which allow ftp access to samba shares and smb/nmb access to files labelled with tftpdir_rw_t. Eg # sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp allow ftpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; May be the needed functionality is already there and all this discussion is the equivalent of shooting a gun on sparrows.
Bernard Fay
2016-Jul-06 19:17 UTC
[CentOS] How to have more than on SELinux context on a directory
I can access /depot/tftp from a tftp client but unable to do it from a Windows client as long as SELinux is enforced. If SELinux is permissive I can access it then I know Samba is properly configured. # getenforce Enforcing # ls -dZ /depot/tftp/ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/ And if I do it the other way around, give the directory a type samba_share_t then the tftp clients are unable to push files. # getenforce Enforcing [root at CTSFILESRV01 depot]# ls -ldZ tftp/ drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/ I would then to either create my own type or missing access rules as you suggest. Unfortunately, this will be when I will have time which I don't have at the moment. Thanks for you help On Wed, Jul 6, 2016 at 11:07 AM, ????????? ???????? <nevis2us at infoline.su> wrote:> If I understand well, I could add a type to another type?!?!?! >> > > No. > > The default targeted policy is mostly about Type Enforcement. Quote from > the manual: > > "All files and processes are labeled with a type: types define a SELinux > domain for processes and a SELinux type for files. SELinux policy rules > define how types access each other, whether it be a domain accessing a > type, or a domain accessing another domain. Access is only allowed if a > specific SELinux policy rule exists that allows it." > > You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label > the files in your shared directory and defined necessary rules to allow > access to these files by processes running in certain confined domains. > These new rules would most likely include a subset of rules already defined > in the default policy for samba_share_t and tftpdir_rw_t types. > > I've never added a new type myself and cannot really elaborate any further > on the subject. > > An easier approach would be to add missing access rules for already > existing file type (either samba_share_t or tftpdir_rw_t). > > BTW have you really tried to access files labelled with tftpdir_rw_t via > samba or vise versa? There's already a number of rules in the default > policy which allow ftp access to samba shares and smb/nmb access to files > labelled with tftpdir_rw_t. Eg > > # sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp > allow ftpd_t samba_share_t : file { ioctl read write create getattr > setattr lock append unlink link rename open } ; > allow ftpd_t samba_share_t : dir { ioctl read write create getattr > setattr lock unlink link rename add_name remove_name reparent search rmdir > open } ; > allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr > setattr lock append unlink link rename } ; > allow ftpd_t samba_share_t : sock_file { ioctl read write create > getattr setattr lock append unlink link rename open } ; > allow ftpd_t samba_share_t : fifo_file { ioctl read write create > getattr setattr lock append unlink link rename open } ; > > May be the needed functionality is already there and all this discussion > is the equivalent of shooting a gun on sparrows. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Fabian Arrotin
2016-Jul-07 09:58 UTC
[CentOS] How to have more than on SELinux context on a directory
On 06/07/16 21:17, Bernard Fay wrote:> I can access /depot/tftp from a tftp client but unable to do it from a > Windows client as long as SELinux is enforced. If SELinux is permissive I > can access it then I know Samba is properly configured. > > # getenforce > Enforcing > # ls -dZ /depot/tftp/ > drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/ > > > And if I do it the other way around, give the directory a type > samba_share_t then the tftp clients are unable to push files. > > # getenforce > Enforcing > [root at CTSFILESRV01 depot]# ls -ldZ tftp/ > drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/ > > > I would then to either create my own type or missing access rules as you > suggest. Unfortunately, this will be when I will have time which I don't > have at the moment. > > Thanks for you help >Don't forget that it's about process type and context. If you need multiple processes/domain types accessing the same context files, you'd probably just need a common context/label. <tip> man -k _selinux => will show you man pages for everything regarding selinux and domain/process/context </tip> => man tftpd_selinux => search for samba and : <quote> If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. </quote> But read the whole tftpd_selinux and samba_selinux man pages (and they share almost the same content for "Sharing files" stanzas :-) -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160707/00027b1a/attachment-0001.sig>
Apparently Analagous Threads
- How to have more than on SELinux context on a directory
- How to have more than on SELinux context on a directory
- How to have more than on SELinux context on a directory
- How to have more than on SELinux context on a directory
- SELinux and "i_stream_read() failed: Permission denied"