[CentOS] How to have more than on SELinux context on a directory

Александр Кириллов nevis2us at infoline.su
Wed Jul 6 15:07:47 UTC 2016 

> If I understand well, I could add a type to another type?!?!?!

No.

The default targeted policy is mostly about Type Enforcement. Quote from 
the manual:

"All files and processes are labeled with a type: types define a SELinux 
domain for processes and a SELinux type for files. SELinux policy rules 
define how types access each other, whether it be a domain accessing a 
type, or a domain accessing another domain. Access is only allowed if a 
specific SELinux policy rule exists that allows it."

You could have added a new type (eg tftpdir_rw_and_samba_share_t) to 
label the files in your shared directory and defined necessary rules to 
allow access to these files by processes running in certain confined 
domains. These new rules would most likely include a subset of rules 
already defined in the default policy for samba_share_t and tftpdir_rw_t 
types.

I've never added a new type myself and cannot really elaborate any 
further on the subject.

An easier approach would be to add missing access rules for already 
existing file type (either samba_share_t or tftpdir_rw_t).

BTW have you really tried to access files labelled with tftpdir_rw_t via 
samba or vise versa? There's already a number of rules in the default 
policy which allow ftp access to samba shares and smb/nmb access to 
files labelled with tftpdir_rw_t. Eg

# sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp
    allow ftpd_t samba_share_t : file { ioctl read write create getattr 
setattr lock append unlink link rename open } ;
    allow ftpd_t samba_share_t : dir { ioctl read write create getattr 
setattr lock unlink link rename add_name remove_name reparent search 
rmdir open } ;
    allow ftpd_t samba_share_t : lnk_file { ioctl read write create 
getattr setattr lock append unlink link rename } ;
    allow ftpd_t samba_share_t : sock_file { ioctl read write create 
getattr setattr lock append unlink link rename open } ;
    allow ftpd_t samba_share_t : fifo_file { ioctl read write create 
getattr setattr lock append unlink link rename open } ;

May be the needed functionality is already there and all this discussion 
is the equivalent of shooting a gun on sparrows.

More information about the CentOS mailing list