On Fri, 2005-01-07 at 13:29 -0700, Ivan Gyurdiev wrote:
That sounds like a hack. This isn't a home directory so why should I label it as such. It's a bunch of common files.
Well, that's currently the type we use for data that users can modify. It may be a bit weird given the name, but if from a security perspective the files elsewhere are equivalent to the user's $HOME, then giving them the same label makes sense.
Part of the problem in my mind is that I do not know what the SElinux types are, which ones I need to do what I want, and how to add new ones to perform this simple task.
Right; this is something that should definitely be documented somewhere. Both the purpose of existing types, as well as how to add new ones for specific purposes.
Consider traditional UNIX permissions. There's a straightforward procedure for doing what I want. I create a group called data. I put whoever I want in it (user1, user2, user3, httpd..). Then I chgrp /data with that. Nice and simple.
Offtopic, but: you really want to use ACLs instead of groups; much simpler then mucking about with groups.
I forget what smbd does - I think it checks to see if the UNIX user that you're logged in with has access to that folder.
It uses setfsuid, IIRC.
What's the SElinux equivalent?
You create a new type:
type foodata_t, file_type, sysadmfile;
Then grant permissions from other domains to it:
r_dir_file(user1_t, foodata_t) create_dir_file(user2_t, foodata_t) create_dir_file(samba_t, foodata_t)