Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160556 - common context for shared data needed
Summary: common context for shared data needed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-15 19:45 UTC by Thomas J. Baker
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.1-1
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-25 15:00:33 UTC


Attachments (Terms of Use)

Description Thomas J. Baker 2005-06-15 19:45:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
In looking at the policy for rsync, it looks like it is allowed access to files of types rsync_data_t and ftpd_anon_t. In my experience, shared data is commonly accessed by rsync, ftp, or httpd. Would it make sense to either have a shared_data_t that all three can access or to add httpd_sys_content_t to the rsync policy? Or is there some other type already defined for this type of thing?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6

How reproducible:
Didn't try


Additional info:

Comment 1 Daniel Walsh 2005-06-15 20:17:43 UTC
Since rsync and ftp can read ftpd_anon_t I think we should add a httpd, but we
should bring this up on a list.  Maybe a shared_data_t might be a good idea.  So
you could set up a boolean for each app to 

allow_ftp_read_shared_data
allow_httpd_read_shared_data 
...


Comment 2 Daniel Walsh 2005-08-25 15:00:33 UTC
FIxed in selinux-policy-targeted-1.25.1-1

Comment 3 Thomas J. Baker 2005-09-15 01:32:16 UTC
What was the resolution? I don't see any of those booleans. I also just ran into
another case where it would be nice to add samba to the list.

Comment 4 Thomas J. Baker 2005-12-06 20:48:04 UTC
I'd really like to know what the resolution to this was. I've searched the
policy source and can't find anything like a shared_data_t anywhere. I'm running
selinux-policy-targeted-1.27.1-2.14.

Comment 5 Daniel Walsh 2005-12-07 17:09:46 UTC
public_content_t, public_content_rw_t

Comment 6 Thomas J. Baker 2005-12-07 20:18:03 UTC
Thanks. I saw those but didn't make the connection - the apache.te seemed to be
the only domain that even referenced them and then only in a comment. Seems
anonymous_domain is the way those contexts are specified in the *.te files. I'll
test it out.


Comment 7 Daniel Walsh 2005-12-07 21:06:14 UTC
Look at the man pages

man httpd_selinux
man ftpd_selinux
...

It is documented in there.


Comment 8 Thomas J. Baker 2005-12-07 21:10:27 UTC
Thanks. It all seems to work perfectly.


Note You need to log in before you can comment on or make changes to this bug.