On Fri, 2005-01-07 at 08:09 -0700, Ivan Gyurdiev wrote:
Hi,
I have a fairly trivial setup ( I think ) that I'd like to get working
under SElinux.
I have a bunch of data on /data, which is its own LVM logical volume.
I have symlinks to the parts of the data in /data/smb that I'd like to
export via smb.
My server also exports user home directories and all printers.
The problem is:
Stuff on /data is labeled: system_u:object_r:default_t
Stuff on /home is labeled: system_u:object_r:user_home_dir_t
under system_u:object_r:home_root_t
I get:
audit(1105106751.784:0): avc: denied { search } for pid=32352
exe=/usr/sbin/smbd name=/ dev=dm-1 ino=2 scontext=user_u:system_r:smbd_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1105107520.694:0): avc: denied { search } for pid=32629
exe=/usr/sbin/smbd name=/ dev=dm-2 ino=2 scontext=user_u:system_r:smbd_t
tcontext=system_u:object_r:home_root_t tclass=dir
You have /root on this share? Interesting. I'm not sure you can do
what I describe below in /root.
- How can I address this situation?
Try relabeling the portions of /data that you want to have
user_home_dir_t and user_home_t:
chcon -t user_home_dir_t /data/smb
cd /data/smb
chcon -R -r user_home_t ./*
- What if I wanted to share /data over httpd as well?
Off the top of my head, I don't think you can both share /data over
httpd and have it be normal user home directory data. The types are
distinctly separate. The normal procedure is to have an e.g.
public_html/ folder, which would have a different type.
There is a Boolean value for httpd that will allow httpd to access user
directories, for the purpose of serving content that is labeled
appropriately. You can set this using system-config-securitylevel,
SELinux tab > Modify SELinux Policy > Allow HTTPD to read home
directories. You then need to relabel the content you want served:
chcon -t httpd_sys_content_t /path/to/public_html/
The folder gains the new type, and all children created inside of that
gain the type.
This guide has more information on customizing Apache and SELinux:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-user-homedir.html
--
Karsten Wade, RHCE, Sr. Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41