On Fri, 2005-01-07 at 13:29 -0700, Ivan Gyurdiev wrote:
That sounds like a hack. This isn't a home directory so why
should I label it as such. It's a bunch of common files.
Well, that's currently the type we use for data that users can modify.
It may be a bit weird given the name, but if from a security perspective
the files elsewhere are equivalent to the user's $HOME, then giving them
the same label makes sense.
Part of the problem in my mind is that I do not know what
the SElinux types are, which ones I need to do what I want,
and how to add new ones to perform this simple task.
Right; this is something that should definitely be documented somewhere.
Both the purpose of existing types, as well as how to add new ones for
specific purposes.
Consider traditional UNIX permissions. There's a straightforward
procedure for doing what I want. I create a group called data.
I put whoever I want in it (user1, user2, user3, httpd..). Then
I chgrp /data with that. Nice and simple.
Offtopic, but: you really want to use ACLs instead of groups; much
simpler then mucking about with groups.
I forget what smbd does - I
think it checks to see if the UNIX user that you're logged in with
has access to that folder.
It uses setfsuid, IIRC.
What's the SElinux equivalent?
You create a new type:
type foodata_t, file_type, sysadmfile;
Then grant permissions from other domains to it:
r_dir_file(user1_t, foodata_t)
create_dir_file(user2_t, foodata_t)
create_dir_file(samba_t, foodata_t)