[newbie] SELinux and the /srv directory

Paul Howarth paul at city-fan.org
Wed Aug 17 07:09:48 UTC 2005


On Tue, 2005-08-16 at 21:36 -0400, Daniel J Walsh wrote:
> Razvan Sandu wrote:
> 
> > Hello,
> >
> >
> > Thanks to all of you for your responses about /srv !
> >
> > Just one more detail, to be precise:
> > I don't want those files to be read/written by *anyone* (i.e. 
> > anonymously), but just one predefined
> > group of users (/srv/project has sgid to that group, etc.).
> >
> > Should I still use the booleans you've mentioned ?
> >
> > Is there a piece of doc that contains a complete list of those SELinux 
> > booleans, with detalied explanations about each one, in order to do 
> > various such customizations ?
> >
> No, not yet.  They are somewhat explained in ftpd_selinux.8.  Having 
> only one group access them is a DAC requirement.  MAC will protect the 
> files from other processes.

In other words, use standard Unix/Linux group permissions to handle that
requirement :-) SELinux will restrict which processes can write to this
data, regular permissions will restrict which users can do so.

Paul.
-- 
Paul Howarth <paul at city-fan.org>




More information about the users mailing list