Are there any plans for generic contexts?

Paul Howarth paul at city-fan.org
Sun Dec 28 13:20:14 UTC 2008


On Sat, 27 Dec 2008 22:35:33 -0600
"Arthur Pemberton" <pemboa at gmail.com> wrote:

> Are there any plans for generic contexts? If not consider this a
> suggestion.
> 
> It would be useful if there were more generic contexts, for example
> 'shared_content_t'. Which all targeted daemons that share files (such
> as httpd, smbd, vsftpd) would all have access to these files. I am
> aware that I can probably write my own policy to allow this, but it
> seems like a fairly common use case.
> 
> Just tonight I wanted to make some web code I was working on available
> via a samba share so I could work a bit more fluidly form my laptop.
> But the files are already labeled for sharing under httpd.
> 
> On another machine, I give access to samba to one dir, and would also
> like to have access form httpd. For certain situations, even vsftpd.

public_content_t and public_content_rw_t have been available for a long
time to support this between ftp, http, samba, nfs, tftp, and rsync
daemons.

public_content_t is read-only to all daemons.

public_content_rw_t is read-only to all daemons but writable by any
daemon that has the appropriate boolean set:

allow_ftpd_anon_write
allow_httpd_anon_write
allow_httpd_sys_script_anon
allow_nfsd_anon_write
allow_rsync_anon_write
allow_smbd_anon_write
tftp_anon_write

Setting these booleans allows the associated daemon to write to
public_content_rw_t.

Paul.




More information about the selinux mailing list