Bug 160556 - common context for shared data needed
Summary: common context for shared data needed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-15 19:45 UTC by Thomas J. Baker
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.1-1
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-25 15:00:33 UTC
Type: ---


Attachments (Terms of Use)

Description Thomas J. Baker 2005-06-15 19:45:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
In looking at the policy for rsync, it looks like it is allowed access to files of types rsync_data_t and ftpd_anon_t. In my experience, shared data is commonly accessed by rsync, ftp, or httpd. Would it make sense to either have a shared_data_t that all three can access or to add httpd_sys_content_t to the rsync policy? Or is there some other type already defined for this type of thing?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6

How reproducible:
Didn't try


Additional info:

Comment 1 Daniel Walsh 2005-06-15 20:17:43 UTC
Since rsync and ftp can read ftpd_anon_t I think we should add a httpd, but we
should bring this up on a list.  Maybe a shared_data_t might be a good idea.  So
you could set up a boolean for each app to 

allow_ftp_read_shared_data
allow_httpd_read_shared_data 
...


Comment 2 Daniel Walsh 2005-08-25 15:00:33 UTC
FIxed in selinux-policy-targeted-1.25.1-1

Comment 3 Thomas J. Baker 2005-09-15 01:32:16 UTC
What was the resolution? I don't see any of those booleans. I also just ran into
another case where it would be nice to add samba to the list.

Comment 4 Thomas J. Baker 2005-12-06 20:48:04 UTC
I'd really like to know what the resolution to this was. I've searched the
policy source and can't find anything like a shared_data_t anywhere. I'm running
selinux-policy-targeted-1.27.1-2.14.

Comment 5 Daniel Walsh 2005-12-07 17:09:46 UTC
public_content_t, public_content_rw_t

Comment 6 Thomas J. Baker 2005-12-07 20:18:03 UTC
Thanks. I saw those but didn't make the connection - the apache.te seemed to be
the only domain that even referenced them and then only in a comment. Seems
anonymous_domain is the way those contexts are specified in the *.te files. I'll
test it out.


Comment 7 Daniel Walsh 2005-12-07 21:06:14 UTC
Look at the man pages

man httpd_selinux
man ftpd_selinux
...

It is documented in there.


Comment 8 Thomas J. Baker 2005-12-07 21:10:27 UTC
Thanks. It all seems to work perfectly.


Note You need to log in before you can comment on or make changes to this bug.