[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [FC5] Samba and SELinux

From: Stephen Smalley <sds tycho nsa gov>
To: Paul Howarth <paul city-fan org>
Cc: fedora-selinux-list redhat com
Subject: Re: [FC5] Samba and SELinux
Date: Thu, 06 Apr 2006 08:06:15 -0400

On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote:
> You can't have multiple contexts for a file, so it's not possible AFAIK
> to have both the original context *and* public_content_rw_t.

Correct.  See the "Multiple contexts" thread on the selinux list from
Jan 10 2005 for a discussion of why multiple contexts per file is a bad
idea.  In short, it makes information flow analysis impossible without
considering the entire filesystem state.

> If your web server is only serving static data (nothing that requires
> write access to /var/www for the web server itself), you could
> relabel /var/www/* as public_content_t. If you have internal scripting
> like PHP that needs write access, you could use public_content_rw_t.
> 
> However, if you're using cgi scripts that currently need
> httpd_script_exec_t, you'd need to generate a local policy module that
> allowed samba to read/write the httpd_* types.

Yes, local policy module seems like the sanest choice.  If this is a
common situation, I suppose it could be incorporated into the upstream
policy under a boolean.

-- 
Stephen Smalley
National Security Agency

References:
- [FC5] Samba and SELinux
  - From: Dan Thurman
- Re: [FC5] Samba and SELinux
  - From: Bob Kashani
- Re: [FC5] Samba and SELinux
  - From: Dan Thurman
- Re: [FC5] Samba and SELinux
  - From: Paul Howarth

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]