SELinux Acesso de gravação para vsftpd e samba

3

Isso deve ser fácil, mas eu sou novo no SELinux. Eu tenho um servidor de arquivos do CentOS 6. Eu tenho alguns sistemas de arquivos LVM em / var / media e quero usar o Samba e o FTP para compartilhá-los com uma máquina Windows. Eu estou usando ACLs para que as permissões funcionem bem no Windows (eu tenho uma rede de dois usuários). Eu descobri que o Samba, apesar de funcionar, é lento para transferências de arquivos, então eu queria experimentar o FTP.

Gostaria de continuar usando o SELinux para manter as coisas seguras, mas estou tendo problemas para acessar os arquivos via FTP. Eu posso ler os arquivos e escrever no meu diretório pessoal. Mas eu não posso escrever em arquivos em / var / media (com o contexto samba_share_t).

Eu pensei que allow_ftpd_use_cifs deveria lidar com isso. Posso fazê-lo funcionar com allow_ftpd_full_access , mas prefiro evitar isso. O que estou perdendo?

Aqui está a informação relevante:

[mdurak@srv ~]$ ls -Z /var/media
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 docs
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 library
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 photos
drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 projects

[mdurak@srv ~]$ sudo semanage boolean -l | grep ftp
ftp_home_dir                   (on   ,   on)  Allow ftp to read and write files in the user home directories
tftp_anon_write                (off  ,  off)  Allow tftp to modify public files used for public file transfer services.
allow_ftpd_full_access         (off  ,  off)  Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
allow_ftpd_use_cifs            (on   ,   on)  Allow ftp servers to use cifs used for public file transfer services.
allow_ftpd_use_nfs             (off  ,  off)  Allow ftp servers to use nfs used for public file transfer services.
allow_ftpd_anon_write          (on   ,   on)  Allow ftp servers to upload files,  used for public file transfer services. Directories must be labeled public_content_rw_t.
ftpd_use_passive_mode          (off  ,  off)  Allow ftp servers to use bind to all unreserved ports for passive mode
ftpd_connect_db                (off  ,  off)  Allow ftp servers to use connect to mysql database
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to act as a FTP server by listening on the ftp port.

[mdurak@srv ~]$ sudo semanage boolean -l | grep samba
samba_domain_controller        (off  ,  off)  Allow samba to act as the domain controller, add users, groups and change passwords.
samba_portmapper               (off  ,  off)  Allow samba to act as a portmapper
samba_enable_home_dirs         (on   ,   on)  Allow samba to share users home directories.
samba_export_all_ro            (off  ,  off)  Allow samba to share any file/directory read only.
samba_export_all_rw            (off  ,  off)  Allow samba to share any file/directory read/write.
use_samba_home_dirs            (off  ,  off)  Support SAMBA home directories
samba_create_home_dirs         (off  ,  off)  Allow samba to create new home directories (e.g. via PAM)
cdrecord_read_content          (off  ,  off)  Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
allow_smbd_anon_write          (off  ,  off)  Allow samba to modify public files used for public file transfer services.  Files/Directories must be labeled public_content_rw_t.
samba_share_fusefs             (off  ,  off)  Allow samba to export ntfs/fusefs volumes.
samba_share_nfs                (off  ,  off)  Allow samba to export NFS volumes.
samba_run_unconfined           (off  ,  off)  Allow samba to run unconfined scripts
sanlock_use_samba              (off  ,  off)  Allow sanlock to manage cifs files
virt_us

e_samba (off, off) Permitir ao virt gerenciar arquivos cifs

/etc/vsftpd/vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
# mdurak is in the chroot_list
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_enable=YES
local_root=/var/media

Tentativa no FTP de criar o diretório (também há uma mensagem negada no log de auditoria, portanto, sei que é um problema do SELinux).

Command:    CWD /var/media/library/music
Response:   250 Directory successfully changed.
Command:    MKD sdff
Response:   550 Create directory operation failed.
Command:    MKD /var/media/library/music/sdff
Response:   550 Create directory operation failed.
    
por Matt 19.05.2013 / 19:41

1 resposta

1

Descobri isso: link

Teve que definir os contextos da pasta como public_content_rw_t e fazer

setsebool -P allow_smbd_anon_write=1

Agora eu posso escrever via Samba e FTP (e será fácil apoiar outros domínios mais tarde)

    
por 19.05.2013 / 22:54