Descobri isso: link
Teve que definir os contextos da pasta como public_content_rw_t
e fazer
setsebool -P allow_smbd_anon_write=1
Agora eu posso escrever via Samba e FTP (e será fácil apoiar outros domínios mais tarde)
Isso deve ser fácil, mas eu sou novo no SELinux. Eu tenho um servidor de arquivos do CentOS 6. Eu tenho alguns sistemas de arquivos LVM em / var / media e quero usar o Samba e o FTP para compartilhá-los com uma máquina Windows. Eu estou usando ACLs para que as permissões funcionem bem no Windows (eu tenho uma rede de dois usuários). Eu descobri que o Samba, apesar de funcionar, é lento para transferências de arquivos, então eu queria experimentar o FTP.
Gostaria de continuar usando o SELinux para manter as coisas seguras, mas estou tendo problemas para acessar os arquivos via FTP. Eu posso ler os arquivos e escrever no meu diretório pessoal. Mas eu não posso escrever em arquivos em / var / media (com o contexto samba_share_t).
Eu pensei que allow_ftpd_use_cifs
deveria lidar com isso. Posso fazê-lo funcionar com allow_ftpd_full_access
, mas prefiro evitar isso. O que estou perdendo?
Aqui está a informação relevante:
[mdurak@srv ~]$ ls -Z /var/media
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 docs
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 library
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 photos
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 projects
[mdurak@srv ~]$ sudo semanage boolean -l | grep ftp
ftp_home_dir (on , on) Allow ftp to read and write files in the user home directories
tftp_anon_write (off , off) Allow tftp to modify public files used for public file transfer services.
allow_ftpd_full_access (off , off) Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
allow_ftpd_use_cifs (on , on) Allow ftp servers to use cifs used for public file transfer services.
allow_ftpd_use_nfs (off , off) Allow ftp servers to use nfs used for public file transfer services.
allow_ftpd_anon_write (on , on) Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.
ftpd_use_passive_mode (off , off) Allow ftp servers to use bind to all unreserved ports for passive mode
ftpd_connect_db (off , off) Allow ftp servers to use connect to mysql database
httpd_enable_ftp_server (off , off) Allow httpd to act as a FTP server by listening on the ftp port.
[mdurak@srv ~]$ sudo semanage boolean -l | grep samba
samba_domain_controller (off , off) Allow samba to act as the domain controller, add users, groups and change passwords.
samba_portmapper (off , off) Allow samba to act as a portmapper
samba_enable_home_dirs (on , on) Allow samba to share users home directories.
samba_export_all_ro (off , off) Allow samba to share any file/directory read only.
samba_export_all_rw (off , off) Allow samba to share any file/directory read/write.
use_samba_home_dirs (off , off) Support SAMBA home directories
samba_create_home_dirs (off , off) Allow samba to create new home directories (e.g. via PAM)
cdrecord_read_content (off , off) Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
allow_smbd_anon_write (off , off) Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
samba_share_fusefs (off , off) Allow samba to export ntfs/fusefs volumes.
samba_share_nfs (off , off) Allow samba to export NFS volumes.
samba_run_unconfined (off , off) Allow samba to run unconfined scripts
sanlock_use_samba (off , off) Allow sanlock to manage cifs files
virt_us
e_samba (off, off) Permitir ao virt gerenciar arquivos cifs
/etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
# mdurak is in the chroot_list
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_enable=YES
local_root=/var/media
Tentativa no FTP de criar o diretório (também há uma mensagem negada no log de auditoria, portanto, sei que é um problema do SELinux).
Command: CWD /var/media/library/music
Response: 250 Directory successfully changed.
Command: MKD sdff
Response: 550 Create directory operation failed.
Command: MKD /var/media/library/music/sdff
Response: 550 Create directory operation failed.
Descobri isso: link
Teve que definir os contextos da pasta como public_content_rw_t
e fazer
setsebool -P allow_smbd_anon_write=1
Agora eu posso escrever via Samba e FTP (e será fácil apoiar outros domínios mais tarde)