[CentOS] How to have more than on SELinux context on a directory

Wed Jul 6 19:17:25 UTC 2016

I can access /depot/tftp from a tftp client but unable to do it from a
Windows client as long as SELinux is enforced.  If SELinux is permissive I
can access it then I know Samba is properly configured.

# getenforce
Enforcing
# ls -dZ /depot/tftp/
drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/

And if I do it the other way around, give the directory a type
samba_share_t then the tftp clients are unable to push files.

# getenforce
Enforcing
[root at CTSFILESRV01 depot]# ls -ldZ tftp/
drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/

I would then to either create my own type or missing access rules as you
suggest. Unfortunately, this will be when I will have time which I don't
have at the moment.

Thanks for you help

On Wed, Jul 6, 2016 at 11:07 AM, Александр Кириллов <nevis2us at infoline.su>
wrote:

> If I understand well, I could add a type to another type?!?!?!
>>
>
> No.
>
> The default targeted policy is mostly about Type Enforcement. Quote from
> the manual:
>
> "All files and processes are labeled with a type: types define a SELinux
> domain for processes and a SELinux type for files. SELinux policy rules
> define how types access each other, whether it be a domain accessing a
> type, or a domain accessing another domain. Access is only allowed if a
> specific SELinux policy rule exists that allows it."
>
> You could have added a new type (eg tftpdir_rw_and_samba_share_t) to label
> the files in your shared directory and defined necessary rules to allow
> access to these files by processes running in certain confined domains.
> These new rules would most likely include a subset of rules already defined
> in the default policy for samba_share_t and tftpdir_rw_t types.
>
> I've never added a new type myself and cannot really elaborate any further
> on the subject.
>
> An easier approach would be to add missing access rules for already
> existing file type (either samba_share_t or tftpdir_rw_t).
>
> BTW have you really tried to access files labelled with tftpdir_rw_t via
> samba or vise versa? There's already a number of rules in the default
> policy which allow ftp access to samba shares and smb/nmb access to files
> labelled with tftpdir_rw_t. Eg
>
> # sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp
>    allow ftpd_t samba_share_t : file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
>    allow ftpd_t samba_share_t : dir { ioctl read write create getattr
> setattr lock unlink link rename add_name remove_name reparent search rmdir
> open } ;
>    allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr
> setattr lock append unlink link rename } ;
>    allow ftpd_t samba_share_t : sock_file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>    allow ftpd_t samba_share_t : fifo_file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>
> May be the needed functionality is already there and all this discussion
> is the equivalent of shooting a gun on sparrows.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>