From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: In looking at the policy for rsync, it looks like it is allowed access to files of types rsync_data_t and ftpd_anon_t. In my experience, shared data is commonly accessed by rsync, ftp, or httpd. Would it make sense to either have a shared_data_t that all three can access or to add httpd_sys_content_t to the rsync policy? Or is there some other type already defined for this type of thing? Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.16-6 How reproducible: Didn't try Additional info:
Since rsync and ftp can read ftpd_anon_t I think we should add a httpd, but we should bring this up on a list. Maybe a shared_data_t might be a good idea. So you could set up a boolean for each app to allow_ftp_read_shared_data allow_httpd_read_shared_data ...
FIxed in selinux-policy-targeted-1.25.1-1
What was the resolution? I don't see any of those booleans. I also just ran into another case where it would be nice to add samba to the list.
I'd really like to know what the resolution to this was. I've searched the policy source and can't find anything like a shared_data_t anywhere. I'm running selinux-policy-targeted-1.27.1-2.14.
public_content_t, public_content_rw_t
Thanks. I saw those but didn't make the connection - the apache.te seemed to be the only domain that even referenced them and then only in a comment. Seems anonymous_domain is the way those contexts are specified in the *.te files. I'll test it out.
Look at the man pages man httpd_selinux man ftpd_selinux ... It is documented in there.
Thanks. It all seems to work perfectly.