Hello,
I need to have the tftpdir_rw_t and samba_share_t SELinux context on the same directory.
How can we do this? Is it feasible to have more than one SELinux context?
Thanks, Bernard
I need to have the tftpdir_rw_t and samba_share_t SELinux context on the same directory.
How can we do this? Is it feasible to have more than one SELinux context?
I don't think it's possible/feasible. You'd probably need to add a new type and necessary rules to your local policy. Or add missing allow rules to an existing type (tftpdir_rw_t or samba_share_t). Or use audit2allow to add necessary allow rules to an existing type. Any of the above could be a major PITA.
Александр Кириллов писал 2016-07-05 19:58:
I need to have the tftpdir_rw_t and samba_share_t SELinux context on the same directory.
How can we do this? Is it feasible to have more than one SELinux context?
I don't think it's possible/feasible. You'd probably need to add a new type and necessary rules to your local policy. Or add missing allow rules to an existing type (tftpdir_rw_t or samba_share_t). Or use audit2allow to add necessary allow rules to an existing type. Any of the above could be a major PITA.
Some links and commands which might be useful if you really need this done:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types
# sesearch --help # sesearch --allow -t samba_share_t # sesearch --allow -t tftpdir_rw_t
If I understand well, I could add a type to another type?!?!?! If that is the case, I did not know about it.... like many things in the SELinux world. It is so complex and so badly documented. :-(
On Tue, Jul 5, 2016 at 1:24 PM, Александр Кириллов nevis2us@infoline.su wrote:
Александр Кириллов писал 2016-07-05 19:58:
I need to have the tftpdir_rw_t and samba_share_t SELinux context on
the same directory.
How can we do this? Is it feasible to have more than one SELinux context?
I don't think it's possible/feasible. You'd probably need to add a new type and necessary rules to your local policy. Or add missing allow rules to an existing type (tftpdir_rw_t or samba_share_t). Or use audit2allow to add necessary allow rules to an existing type. Any of the above could be a major PITA.
Some links and commands which might be useful if you really need this done:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types
# sesearch --help # sesearch --allow -t samba_share_t # sesearch --allow -t tftpdir_rw_t
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
2016-07-06 14:30 GMT+03:00 Bernard Fay bernard.fay@gmail.com:
If I understand well, I could add a type to another type?!?!?! If that is the case, I did not know about it.... like many things in the SELinux world. It is so complex and so badly documented. :-(
Poorly? Just read the documents: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
and google "selinux rhel" ..
-- Eero
On 07/06/2016 04:30 AM, Bernard Fay wrote:
It is so complex and so badly documented.
It is fairly complex, but I don't think it's badly documented.
If I understand well, I could add a type to another type?!?!?!
No.
The default targeted policy is mostly about Type Enforcement. Quote from the manual:
"All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it."
You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label the files in your shared directory and defined necessary rules to allow access to these files by processes running in certain confined domains. These new rules would most likely include a subset of rules already defined in the default policy for samba_share_t and tftpdir_rw_t types.
I've never added a new type myself and cannot really elaborate any further on the subject.
An easier approach would be to add missing access rules for already existing file type (either samba_share_t or tftpdir_rw_t).
BTW have you really tried to access files labelled with tftpdir_rw_t via samba or vise versa? There's already a number of rules in the default policy which allow ftp access to samba shares and smb/nmb access to files labelled with tftpdir_rw_t. Eg
# sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp allow ftpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
May be the needed functionality is already there and all this discussion is the equivalent of shooting a gun on sparrows.
I can access /depot/tftp from a tftp client but unable to do it from a Windows client as long as SELinux is enforced. If SELinux is permissive I can access it then I know Samba is properly configured.
# getenforce Enforcing # ls -dZ /depot/tftp/ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/
And if I do it the other way around, give the directory a type samba_share_t then the tftp clients are unable to push files.
# getenforce Enforcing [root@CTSFILESRV01 depot]# ls -ldZ tftp/ drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/
I would then to either create my own type or missing access rules as you suggest. Unfortunately, this will be when I will have time which I don't have at the moment.
Thanks for you help
On Wed, Jul 6, 2016 at 11:07 AM, Александр Кириллов nevis2us@infoline.su wrote:
If I understand well, I could add a type to another type?!?!?!
No.
The default targeted policy is mostly about Type Enforcement. Quote from the manual:
"All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it."
You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label the files in your shared directory and defined necessary rules to allow access to these files by processes running in certain confined domains. These new rules would most likely include a subset of rules already defined in the default policy for samba_share_t and tftpdir_rw_t types.
I've never added a new type myself and cannot really elaborate any further on the subject.
An easier approach would be to add missing access rules for already existing file type (either samba_share_t or tftpdir_rw_t).
BTW have you really tried to access files labelled with tftpdir_rw_t via samba or vise versa? There's already a number of rules in the default policy which allow ftp access to samba shares and smb/nmb access to files labelled with tftpdir_rw_t. Eg
# sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp allow ftpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
May be the needed functionality is already there and all this discussion is the equivalent of shooting a gun on sparrows.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 06/07/16 21:17, Bernard Fay wrote:
I can access /depot/tftp from a tftp client but unable to do it from a Windows client as long as SELinux is enforced. If SELinux is permissive I can access it then I know Samba is properly configured.
# getenforce Enforcing # ls -dZ /depot/tftp/ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/
And if I do it the other way around, give the directory a type samba_share_t then the tftp clients are unable to push files.
# getenforce Enforcing [root@CTSFILESRV01 depot]# ls -ldZ tftp/ drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/
I would then to either create my own type or missing access rules as you suggest. Unfortunately, this will be when I will have time which I don't have at the moment.
Thanks for you help
Don't forget that it's about process type and context. If you need multiple processes/domain types accessing the same context files, you'd probably just need a common context/label.
<tip> man -k _selinux => will show you man pages for everything regarding selinux and domain/process/context </tip>
=> man tftpd_selinux => search for samba and : <quote> If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. </quote>
But read the whole tftpd_selinux and samba_selinux man pages (and they share almost the same content for "Sharing files" stanzas :-)
Thanks Fabian,
That's what I need! A bit more open than I wish but it is ok.
One more thing... I got some problems to get the man page for tftpd_selinux.
[ ]$ yum search tftpd_selinux Loaded plugins: fastestmirror, langpacks Determining fastest mirrors Warning: No matches found for: tftpd_selinux No matches found
[ ~]$ yum provides tftpd_selinux Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile No matches found
Of course, google came to the rescue. But is there a another way, Linux or yum based solution to find the proper packages when yum search or yum provides don't get it?
Thanks again
On Thu, Jul 7, 2016 at 5:58 AM, Fabian Arrotin arrfab@centos.org wrote:
On 06/07/16 21:17, Bernard Fay wrote:
I can access /depot/tftp from a tftp client but unable to do it from a Windows client as long as SELinux is enforced. If SELinux is permissive
I
can access it then I know Samba is properly configured.
# getenforce Enforcing # ls -dZ /depot/tftp/ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/
And if I do it the other way around, give the directory a type samba_share_t then the tftp clients are unable to push files.
# getenforce Enforcing [root@CTSFILESRV01 depot]# ls -ldZ tftp/ drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/
I would then to either create my own type or missing access rules as you suggest. Unfortunately, this will be when I will have time which I don't have at the moment.
Thanks for you help
Don't forget that it's about process type and context. If you need multiple processes/domain types accessing the same context files, you'd probably just need a common context/label.
<tip> man -k _selinux => will show you man pages for everything regarding selinux and domain/process/context </tip>
=> man tftpd_selinux => search for samba and :
<quote> If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. </quote>
But read the whole tftpd_selinux and samba_selinux man pages (and they share almost the same content for "Sharing files" stanzas :-)
-- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
You are looking for a man page, which usually belongs in a man section and is compressed. You can do:
$ yum provides /usr/share/man/man8/tftpd_selinux.8.gz
or, more generally:
$ yum provides */tftpd_selinux*
given the asterisk don't resolve to something already existing in your local dir... You can escape them or quote in this case
Marcelo
On Fri, Jul 8, 2016 at 9:41 AM, Bernard Fay bernard.fay@gmail.com wrote:
Thanks Fabian,
That's what I need! A bit more open than I wish but it is ok.
One more thing... I got some problems to get the man page for tftpd_selinux.
[ ]$ yum search tftpd_selinux Loaded plugins: fastestmirror, langpacks Determining fastest mirrors Warning: No matches found for: tftpd_selinux No matches found
[ ~]$ yum provides tftpd_selinux Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile No matches found
Of course, google came to the rescue. But is there a another way, Linux or yum based solution to find the proper packages when yum search or yum provides don't get it?
Thanks again
On Thu, Jul 7, 2016 at 5:58 AM, Fabian Arrotin arrfab@centos.org wrote:
On 06/07/16 21:17, Bernard Fay wrote:
I can access /depot/tftp from a tftp client but unable to do it from a Windows client as long as SELinux is enforced. If SELinux is
permissive
I
can access it then I know Samba is properly configured.
# getenforce Enforcing # ls -dZ /depot/tftp/ drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/
And if I do it the other way around, give the directory a type samba_share_t then the tftp clients are unable to push files.
# getenforce Enforcing [root@CTSFILESRV01 depot]# ls -ldZ tftp/ drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/
I would then to either create my own type or missing access rules as
you
suggest. Unfortunately, this will be when I will have time which I
don't
have at the moment.
Thanks for you help
Don't forget that it's about process type and context. If you need multiple processes/domain types accessing the same context files, you'd probably just need a common context/label.
<tip> man -k _selinux => will show you man pages for everything regarding selinux and domain/process/context </tip>
=> man tftpd_selinux => search for samba and :
<quote> If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. </quote>
But read the whole tftpd_selinux and samba_selinux man pages (and they share almost the same content for "Sharing files" stanzas :-)
-- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Bernard Fay -
Eero Volotinen -
Fabian Arrotin -
Gordon Messmer -
Marcelo Roccasalva -
Александр Кириллов