For the specific use case you have mentioned, there is a boolean:

$ sepolicy booleans -b httpd_use_cifs
httpd_use_cifs=_("Allow httpd to access cifs file systems")

Hope that helps.


On Mon, Oct 31, 2022 at 4:41 PM Gionatan Danti <g.danti@assyoma.it> wrote:
Il 2022-10-24 14:59 Gionatan Danti ha scritto:
> I Zdenek, lets say I have a directory /var/www/html (type httpd_t)
> which need to be served both by httpd and smbd (type smbd_t).
>
> As I can not set two labels on such directory, I have an issue: if
> leaving type httpd_t, then smbd can not access it; if setting type
> smbd_t, then httpd can not access it.
>
> Sure, one can use samba_export_all_ro and similar booleans for this
> specific case. However, what if no appropriate booleans exists for the
> two services I want to share the same data? Does seliux have special
> provisioning for settings some files/dirs as "shared between these
> domains, as if multiple labels were used" or one has to explicity
> allow the required access via a custom selinux policy (ie: by using
> audit2allow)?
>
> Regards.

Hi all,
any suggestions about that?

When lacking an appropriate boolean, is audit2allow the only way to
allow access to files labeled for another domain? Or something can be
done by using semanage?

Regards.

--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@assyoma.it - info@assyoma.it
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue