Bug 160556 - common context for shared data needed
common context for shared data needed
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-15 15:45 EDT by Thomas J. Baker
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.1-1
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-25 11:00:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas J. Baker 2005-06-15 15:45:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
In looking at the policy for rsync, it looks like it is allowed access to files of types rsync_data_t and ftpd_anon_t. In my experience, shared data is commonly accessed by rsync, ftp, or httpd. Would it make sense to either have a shared_data_t that all three can access or to add httpd_sys_content_t to the rsync policy? Or is there some other type already defined for this type of thing?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6

How reproducible:
Didn't try


Additional info:
Comment 1 Daniel Walsh 2005-06-15 16:17:43 EDT
Since rsync and ftp can read ftpd_anon_t I think we should add a httpd, but we
should bring this up on a list.  Maybe a shared_data_t might be a good idea.  So
you could set up a boolean for each app to 

allow_ftp_read_shared_data
allow_httpd_read_shared_data 
...
Comment 2 Daniel Walsh 2005-08-25 11:00:33 EDT
FIxed in selinux-policy-targeted-1.25.1-1
Comment 3 Thomas J. Baker 2005-09-14 21:32:16 EDT
What was the resolution? I don't see any of those booleans. I also just ran into
another case where it would be nice to add samba to the list.
Comment 4 Thomas J. Baker 2005-12-06 15:48:04 EST
I'd really like to know what the resolution to this was. I've searched the
policy source and can't find anything like a shared_data_t anywhere. I'm running
selinux-policy-targeted-1.27.1-2.14.
Comment 5 Daniel Walsh 2005-12-07 12:09:46 EST
public_content_t, public_content_rw_t
Comment 6 Thomas J. Baker 2005-12-07 15:18:03 EST
Thanks. I saw those but didn't make the connection - the apache.te seemed to be
the only domain that even referenced them and then only in a comment. Seems
anonymous_domain is the way those contexts are specified in the *.te files. I'll
test it out.
Comment 7 Daniel Walsh 2005-12-07 16:06:14 EST
Look at the man pages

man httpd_selinux
man ftpd_selinux
...

It is documented in there.
Comment 8 Thomas J. Baker 2005-12-07 16:10:27 EST
Thanks. It all seems to work perfectly.

Note You need to log in before you can comment on or make changes to this bug.