[CentOS] How to have more than on SELinux context on a directory
Fabian Arrotin
arrfab at centos.org
Thu Jul 7 09:58:14 UTC 2016
On 06/07/16 21:17, Bernard Fay wrote:
> I can access /depot/tftp from a tftp client but unable to do it from a
> Windows client as long as SELinux is enforced. If SELinux is permissive I
> can access it then I know Samba is properly configured.
>
> # getenforce
> Enforcing
> # ls -dZ /depot/tftp/
> drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/
>
>
> And if I do it the other way around, give the directory a type
> samba_share_t then the tftp clients are unable to push files.
>
> # getenforce
> Enforcing
> [root at CTSFILESRV01 depot]# ls -ldZ tftp/
> drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/
>
>
> I would then to either create my own type or missing access rules as you
> suggest. Unfortunately, this will be when I will have time which I don't
> have at the moment.
>
> Thanks for you help
>
Don't forget that it's about process type and context.
If you need multiple processes/domain types accessing the same context
files, you'd probably just need a common context/label.
<tip>
man -k _selinux => will show you man pages for everything regarding
selinux and domain/process/context
</tip>
=> man tftpd_selinux
=> search for samba and :
<quote>
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and
public_content_rw_t. These context allow any of the above domains to
read the content.
If you want a particular domain to write to the public_content_rw_t
domain, you must set the appropriate boolean.
</quote>
But read the whole tftpd_selinux and samba_selinux man pages (and they
share almost the same content for "Sharing files" stanzas :-)
--
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160707/00027b1a/attachment.sig>
More information about the CentOS
mailing list