|Summary:||common context for shared data needed|
|Product:||[Fedora] Fedora||Reporter:||Thomas J. Baker <tjb>|
|Component:||selinux-policy-targeted||Assignee:||Daniel Walsh <dwalsh>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||1.25.1-1||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-08-25 15:00:33 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Thomas J. Baker 2005-06-15 19:45:52 UTC
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: In looking at the policy for rsync, it looks like it is allowed access to files of types rsync_data_t and ftpd_anon_t. In my experience, shared data is commonly accessed by rsync, ftp, or httpd. Would it make sense to either have a shared_data_t that all three can access or to add httpd_sys_content_t to the rsync policy? Or is there some other type already defined for this type of thing? Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.16-6 How reproducible: Didn't try Additional info:
Comment 1 Daniel Walsh 2005-06-15 20:17:43 UTC
Since rsync and ftp can read ftpd_anon_t I think we should add a httpd, but we should bring this up on a list. Maybe a shared_data_t might be a good idea. So you could set up a boolean for each app to allow_ftp_read_shared_data allow_httpd_read_shared_data ...
Comment 2 Daniel Walsh 2005-08-25 15:00:33 UTC
FIxed in selinux-policy-targeted-1.25.1-1
Comment 3 Thomas J. Baker 2005-09-15 01:32:16 UTC
What was the resolution? I don't see any of those booleans. I also just ran into another case where it would be nice to add samba to the list.
Comment 4 Thomas J. Baker 2005-12-06 20:48:04 UTC
I'd really like to know what the resolution to this was. I've searched the policy source and can't find anything like a shared_data_t anywhere. I'm running selinux-policy-targeted-1.27.1-2.14.
Comment 5 Daniel Walsh 2005-12-07 17:09:46 UTC
Comment 6 Thomas J. Baker 2005-12-07 20:18:03 UTC
Thanks. I saw those but didn't make the connection - the apache.te seemed to be the only domain that even referenced them and then only in a comment. Seems anonymous_domain is the way those contexts are specified in the *.te files. I'll test it out.
Comment 7 Daniel Walsh 2005-12-07 21:06:14 UTC
Look at the man pages man httpd_selinux man ftpd_selinux ... It is documented in there.
Comment 8 Thomas J. Baker 2005-12-07 21:10:27 UTC
Thanks. It all seems to work perfectly.