On Fri, 2005-01-07 at 13:29 -0700, Ivan Gyurdiev wrote:
That sounds like a hack. This isn't a home directory so why
should I label it as such. It's a bunch of common files.
Well, that's currently the type we use for data that users can modify.
It may be a bit weird given the name, but if from a security perspective
the files elsewhere are equivalent to the user's $HOME, then giving them
the same label makes sense.
Part of the problem in my mind is that I do not know what
the SElinux types are, which ones I need to do what I want,
and how to add new ones to perform this simple task.
Right; this is something that should definitely be documented somewhere.
Both the purpose of existing types, as well as how to add new ones for
Consider traditional UNIX permissions. There's a straightforward
procedure for doing what I want. I create a group called data.
I put whoever I want in it (user1, user2, user3, httpd..). Then
I chgrp /data with that. Nice and simple.
Offtopic, but: you really want to use ACLs instead of groups; much
simpler then mucking about with groups.
I forget what smbd does - I
think it checks to see if the UNIX user that you're logged in with
has access to that folder.
It uses setfsuid, IIRC.
What's the SElinux equivalent?
You create a new type:
type foodata_t, file_type, sysadmfile;
Then grant permissions from other domains to it: