[CentOS] How to have more than on SELinux context on a directory

Thu Jul 7 09:58:14 UTC 2016
Fabian Arrotin <arrfab at centos.org>

On 06/07/16 21:17, Bernard Fay wrote:
> I can access /depot/tftp from a tftp client but unable to do it from a
> Windows client as long as SELinux is enforced.  If SELinux is permissive I
> can access it then I know Samba is properly configured.
> # getenforce
> Enforcing
> # ls -dZ /depot/tftp/
> drwxrwxrwx. root root system_u:object_r:tftpdir_rw_t:s0 /depot/tftp/
> And if I do it the other way around, give the directory a type
> samba_share_t then the tftp clients are unable to push files.
> # getenforce
> Enforcing
> [root at CTSFILESRV01 depot]# ls -ldZ tftp/
> drwxrwxrwx. root root system_u:object_r:samba_share_t:s0 tftp/
> I would then to either create my own type or missing access rules as you
> suggest. Unfortunately, this will be when I will have time which I don't
> have at the moment.
> Thanks for you help

Don't forget that it's about process type and context.
If you need multiple processes/domain types accessing the same context
files, you'd probably just need a common context/label.

man -k _selinux => will show you man pages for everything regarding
selinux and domain/process/context

=> man tftpd_selinux
=> search for samba and :
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set  a  file  context  of  public_content_t  and
public_content_rw_t.   These context allow any of the above domains to
read the content.
 If you want a particular domain to write to the public_content_rw_t
domain, you must set the appropriate  boolean.

But read the whole tftpd_selinux and samba_selinux man pages (and they
share almost the same content for "Sharing files" stanzas :-)

Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160707/00027b1a/attachment-0004.sig>