On Sun, Mar 21, 2010 at 08:21:02AM -0800, Toby Ovod-Everett wrote:
Here are some things to take into consideration:
1. For the perspective of SELinux we do not have to do anything to give users access since
in a vanilla Fedora 12
configuration users are unconfined (exempted for SELinux).
2. We can give Samba access to read and write any content by setting boolean
This means that we only have to take care of http.
Using the samba_export_all_rw boolean is essential i believe to meet your exotic
There are three major directory trees that impact the photo system:
/data/photos - contains the actual digital images in /data/photos/images and
the information about them in /data/photos/info. Context from / is:
dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos
/data/photos needs to be r/w for my user account (which is a member of photos)
As said above by default users are unconfined wrt SELinux in a stock Fedora 12 config thus
no need to do anything here.
and readable for apache. I generally access /data/photos through
my user machine which runs (gasp) Windows 7.
You should probably label data and everything below data type httpd_sys_content_t. httpd
is allowed to read that type.
/var/www/cgi-bin/photos - contains the Perl scripts that implement the web
frontend for viewing the photos (loading photos is all done from the Command
Line). I have httpd_enable_cgi=>on in order to support this. Context is
unchanged from default configs. Desire r/w access through Samba from my user
machine for editing the scripts using Notepad++.
Leave this as is. Apache can run scripts labeled httpd_sys_script_exec_t in the
httpd_sys_script_t domain. Samba can read and write any content if samba_export_all_rw is
The use of the samba_export_all_rw boolean is discouraged since obviously samba will be
able to write almost any file.
However you do not have much choice unless you modify policy in a major way.
I would probably use openssh to edit these scripts.
/var/www/html/thumbnails - contains directories of thumbnails for the photos.
These are persistently cached in this tree and automatically generated or
updated as required by the Perl scripts above when required. This data
doesn't have to persist across rebuilds. There are different subdirectories
for the different supported thumbnail sizes and each subdir and needs to be
r/w for apache. Context from / is:
dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0 var
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails
drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180
If your perl webscript needs to create files in exisiting sub directories in tumbnails/
Then i would label these sub directories type httpd_sys_content_rw_t and set
httpd_anon_write to true.
Samba will be able to read and write to these files and types since the
samba_export_all_rw allows samba to read and write almost any type.
One of the main issues is that I need Samba to have r/w to a bunch of the
trees that apache needs access to. Current Samba SELinux config is
samba_export_all_rw=>on. I'd like to be able to pull the latter eventually,
but then I need to be able to figure out how to give Samba r/w access to the
If you set samba_export_all_rw to true then you do not need the public_content_(rw)_types.
Since samba will be albe to read and write almost any file and type. In that case i
believe you can set allow_samba_anon_write to false.
Now on to the "what broke" question. Somewhere in the last two months
been a while since I've added photos), I lost the ability to use Samba to
access /data/photos. Generally I access it through a symlink in my homedir:
lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
This has stopped working. Things I tried:
* Verifying symlinks. I have Mail -> mail in my homedir and that still works.
* Verifying SELinux settings conform to above model.
* Creating a separate share for /data/photos. This worked.
If this is at all SELinux related ( see if it works in permissive mode to rule in or rule
out SELinux) then it would
help if you enclose an AVC denial. Some denials are hidden use semodule -DB to expose
hidden denials and semodule -B to go back to the original state.
I Obviously have a workaround now, but as a solution it's
annoying, because it
requires me to create separate shares for all of the things I want to access
from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
/var/www/html/public_html/toby) and then map to them all separately on my
Windows machine on separate drive letters, instead of having a single share
that accesses everything.
I'm beginning to suspect the problem is Samba, not SELinux, because my
attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
up any events that correlate with attempts to access those directories through
the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
announced in early February, but I'm hitting my patience limit (my 3 year old
is ready for breakfast), so I'm going to stop writing and go with my
workaround for now. But if anyone has advice, please offer!
I would probably attempt to implement a solution that does not require samba_export_all_rw
to be set true since that
is very coarse.
However with your requirements this is the only simple way.
I would probably use openssh where ever possible. that may be just enough to be able to
set samba_export_all_rw to false.
Another solution would be to perform serious surgery to fedora policy. You would create
special types and a special web app domain and give both apache and samba the permissions
selinux mailing list