Shared data area

Daniel J Walsh dwalsh at redhat.com
Wed Jul 20 17:34:43 UTC 2005 

Paul Howarth wrote:

> Daniel J Walsh wrote:
>
>> Paul Howarth wrote:
>>
>>> On Tue, 2005-07-19 at 13:12 +0200, Nicklas Norling wrote:
>>>  
>>>
>>>> I would encourage a boolean for shared data location. I think 
>>>> labeling a folder and it's subcontent with a specific label and 
>>>> then have different services be able to use it might be a start. 
>>>> That way I could disallow smb the rights but allow ftpd and httpd 
>>>> (as an example). I think that would be a great improvment from my 
>>>> point of view.
>>>>   
>>>
>>>
>>>
>>> I think this is a great idea. I have a file server at home where I 
>>> stick
>>> all the software I've downloaded, some for Linux and some for Windows.
>>> The Windows box accesses the area using samba and Linux uses httpd as
>>> I've set up a local yum repo for the Linux software. So in Niklas' idea
>>> I'd be enabling httpd and smb for this and not ftp.
>>>
>>> This type might be a good one to use for everything under /srv...
>>>
>>> Paul.
>>>  
>>>
>> Ok.  I am allowing ftpd, samba, apache and/or apache scripts, rsync 
>> to read ftpd_anon_t.
>>
>> So if you want files shared by these services, you can change the 
>> context to ftpd_anon_t.
>
>
> Would it not be better to create a new type for a shared data area 
> (e.g. srv_data_t), with booleans allowing read/write access to this 
> data for each daemon, rather than overloading an existing type? After 
> all, some process has to set up this data area, and for some people 
> that will be done using ftp, some sftp, some rsync, some samba etc...
>
I could do that, but I was already sharing the type between rsync and 
ftp.  Basically I think of this type, as data available on the network 
requiring no authorization to read or for ftpd_anon_rw_t, to write.  
Creating a bunch of booleans for each daemon that might use the type, 
seems like a complexity for limited additional security.  If I have a 
server running apache and ftpd, I can't see what the difference if 
allowing them to read the data via the ftp protocol, but not via the 
http protocol.  But I am willing to be persuaded.

> Obviously this is much harder to do but I thought I'd ask anyway :-)
>
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--

More information about the fedora-selinux-list mailing list