Hi all, as one file/dir can have one and only one selinux label, I wonder if/how one can allow processes from different domains to access the same files/dirs.
I know that for specific executable and directory one can use the appropriate bools, for example samba_enable_home_dirs enables smbd to read/write home_root_t types. I also know that one can create and load a custom policy to allow the required access.
However, I wonder if an easier approach exists to let processes with different domains to access the same set of files or directories.
Any clue? Thanks.
On Sat, Oct 22, 2022 at 9:16 PM Gionatan Danti g.danti@assyoma.it wrote:
Hi all, as one file/dir can have one and only one selinux label, I wonder if/how one can allow processes from different domains to access the same files/dirs.
I know that for specific executable and directory one can use the appropriate bools, for example samba_enable_home_dirs enables smbd to read/write home_root_t types. I also know that one can create and load a custom policy to allow the required access.
However, I wonder if an easier approach exists to let processes with different domains to access the same set of files or directories.
Any clue? Thanks.
Hi Danti,
I am not sure if I am getting you well, please add an example if not. For accessing types from other modules, interfaces are used, refer to
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules...
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Il 2022-10-24 13:45 Zdenek Pytela ha scritto:
Hi Danti,
I am not sure if I am getting you well, please add an example if not. For accessing types from other modules, interfaces are used, refer to
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules...
I Zdenek, lets say I have a directory /var/www/html (type httpd_t) which need to be served both by httpd and smbd (type smbd_t).
As I can not set two labels on such directory, I have an issue: if leaving type httpd_t, then smbd can not access it; if setting type smbd_t, then httpd can not access it.
Sure, one can use samba_export_all_ro and similar booleans for this specific case. However, what if no appropriate booleans exists for the two services I want to share the same data? Does seliux have special provisioning for settings some files/dirs as "shared between these domains, as if multiple labels were used" or one has to explicity allow the required access via a custom selinux policy (ie: by using audit2allow)?
Regards.
Il 2022-10-24 14:59 Gionatan Danti ha scritto:
I Zdenek, lets say I have a directory /var/www/html (type httpd_t) which need to be served both by httpd and smbd (type smbd_t).
As I can not set two labels on such directory, I have an issue: if leaving type httpd_t, then smbd can not access it; if setting type smbd_t, then httpd can not access it.
Sure, one can use samba_export_all_ro and similar booleans for this specific case. However, what if no appropriate booleans exists for the two services I want to share the same data? Does seliux have special provisioning for settings some files/dirs as "shared between these domains, as if multiple labels were used" or one has to explicity allow the required access via a custom selinux policy (ie: by using audit2allow)?
Regards.
Hi all, any suggestions about that?
When lacking an appropriate boolean, is audit2allow the only way to allow access to files labeled for another domain? Or something can be done by using semanage?
Regards.
For the specific use case you have mentioned, there is a boolean:
$ sepolicy booleans -b httpd_use_cifs httpd_use_cifs=_("Allow httpd to access cifs file systems")
Hope that helps.
On Mon, Oct 31, 2022 at 4:41 PM Gionatan Danti g.danti@assyoma.it wrote:
Il 2022-10-24 14:59 Gionatan Danti ha scritto:
I Zdenek, lets say I have a directory /var/www/html (type httpd_t) which need to be served both by httpd and smbd (type smbd_t).
As I can not set two labels on such directory, I have an issue: if leaving type httpd_t, then smbd can not access it; if setting type smbd_t, then httpd can not access it.
Sure, one can use samba_export_all_ro and similar booleans for this specific case. However, what if no appropriate booleans exists for the two services I want to share the same data? Does seliux have special provisioning for settings some files/dirs as "shared between these domains, as if multiple labels were used" or one has to explicity allow the required access via a custom selinux policy (ie: by using audit2allow)?
Regards.
Hi all, any suggestions about that?
When lacking an appropriate boolean, is audit2allow the only way to allow access to files labeled for another domain? Or something can be done by using semanage?
Regards.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Il 2022-10-31 18:52 David Sastre ha scritto:
For the specific use case you have mentioned, there is a boolean:
$ sepolicy booleans -b httpd_use_cifs httpd_use_cifs=_("Allow httpd to access cifs file systems")
Hope that helps.
Hi David, sure, I know about this specific boolean; I used smbd vs httpd only as (not so good?) example.
Regards.
On 10/24/22 05:45, Zdenek Pytela wrote:
On Sat, Oct 22, 2022 at 9:16 PM Gionatan Danti <g.danti@assyoma.it mailto:g.danti@assyoma.it> wrote:
Hi all, as one file/dir can have one and only one selinux label, I wonder if/how one can allow processes from different domains to access the same files/dirs. I know that for specific executable and directory one can use the appropriate bools, for example samba_enable_home_dirs enables smbd to read/write home_root_t types. I also know that one can create and load a custom policy to allow the required access. However, I wonder if an easier approach exists to let processes with different domains to access the same set of files or directories. Any clue? Thanks.
What about public_content_t and public_content_rw_t?
Il 2022-11-01 04:29 Orion Poplawski ha scritto:
What about public_content_t and public_content_rw_t?
I seem to remember that both these labels only affect smbd and httpd. Am I wrong?
I spoke about smbd and httpd only as an example of two domain having an appropriate boolean, and asking "what if the boolean was not here? What we can do in this case, short of writing a specific policy?"
Thanks.
Gionatan Danti g.danti@assyoma.it writes:
Il 2022-11-01 04:29 Orion Poplawski ha scritto:
What about public_content_t and public_content_rw_t?
I seem to remember that both these labels only affect smbd and httpd. Am I wrong?
I spoke about smbd and httpd only as an example of two domain having an appropriate boolean, and asking "what if the boolean was not here? What we can do in this case, short of writing a specific policy?"
public_content_(rw_)?t are fairly generic file types for sharing data, see
$ sesearch -A -t public_content_t -c file -p read
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Il 2022-11-01 10:53 Petr Lautrbach ha scritto:
public_content_(rw_)?t are fairly generic file types for sharing data, see
$ sesearch -A -t public_content_t -c file -p read
I missed it, thanks for noting. Regards.
selinux@lists.fedoraproject.org
-
David Sastre -
Gionatan Danti -
Orion Poplawski -
Petr Lautrbach -
Zdenek Pytela