On Fri, 2005-01-07 at 08:09 -0700, Ivan Gyurdiev wrote:
Hi,
I have a fairly trivial setup ( I think ) that I'd like to get working under SElinux.
I have a bunch of data on /data, which is its own LVM logical volume. I have symlinks to the parts of the data in /data/smb that I'd like to export via smb.
My server also exports user home directories and all printers.
The problem is: Stuff on /data is labeled: system_u:object_r:default_t Stuff on /home is labeled: system_u:object_r:user_home_dir_t under system_u:object_r:home_root_t
I get:
audit(1105106751.784:0): avc: denied { search } for pid=32352 exe=/usr/sbin/smbd name=/ dev=dm-1 ino=2 scontext=user_u:system_r:smbd_t tcontext=system_u:object_r:default_t tclass=dir
audit(1105107520.694:0): avc: denied { search } for pid=32629 exe=/usr/sbin/smbd name=/ dev=dm-2 ino=2 scontext=user_u:system_r:smbd_t tcontext=system_u:object_r:home_root_t tclass=dir
You have /root on this share? Interesting. I'm not sure you can do what I describe below in /root.
- How can I address this situation?
Try relabeling the portions of /data that you want to have user_home_dir_t and user_home_t:
chcon -t user_home_dir_t /data/smb cd /data/smb chcon -R -r user_home_t ./*
- What if I wanted to share /data over httpd as well?
Off the top of my head, I don't think you can both share /data over httpd and have it be normal user home directory data. The types are distinctly separate. The normal procedure is to have an e.g. public_html/ folder, which would have a different type.
There is a Boolean value for httpd that will allow httpd to access user directories, for the purpose of serving content that is labeled appropriately. You can set this using system-config-securitylevel, SELinux tab > Modify SELinux Policy > Allow HTTPD to read home directories. You then need to relabel the content you want served:
chcon -t httpd_sys_content_t /path/to/public_html/
The folder gains the new type, and all children created inside of that gain the type.
This guide has more information on customizing Apache and SELinux:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-user-homedir.html