SAMBA WITH SELINUX

SAMBA WITH SELINUX

[toản cù]

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

Hi all!

    I just researching policy in selinux and Samba , SELinux has policy
module separate for samba. I only know the label samba_share_t used to
share data when labeled in SELinux enforcing mode.

    I want to use SELinux further intervention on the issue
of decentralization for each user to access data on the samba. How the same
file (*. docx, *. txt), user1 can read, write but  user2 is not.

    And one more question: in a group have different users the same access
to the samba. those users have some same rights, and some the right
different. example the rights  to read,write on a file is different. How to
make a difference the rights between users in the same group

 Look forward your help!

Thanks!


-- 
Mr.Toan-Cu Xuan

School of Electronics and Telecommunications

Hanoi University of Science and Technology

1 Dai Co Viet, Ha noi, Viet nam.

Phone: 01656228762

Email:xuantoanbkfet@gmail.com

[-- Attachment #2: Type: text/html, Size: 2153 bytes --]

Re: SAMBA WITH SELINUX

[dE]

[-- Attachment #1: Type: text/plain, Size: 1663 bytes --]

On 05/24/14 01:02, toản cù wrote:
> Hi all!
>
>     I just researching policy in selinux and Samba , SELinux has 
> policy module separate for samba. I only know the label samba_share_t 
> used to share data when labeled in SELinux enforcing mode.
>
>     I want to use SELinux further intervention on the issue 
> of decentralization for each user to access data on the samba. How the 
> same file (*. docx, *. txt), user1 can read, write but  user2 is not.
>
>     And one more question: in a group have different users the same 
> access to the samba. those users have some same rights, and some the 
> right different. example the rights  to read,write on a file is 
> different. How to make a difference the rights between users in the 
> same group
>
>  Look forward your help!
>
> Thanks!
>
>
> -- 
> Mr.Toan-Cu Xuan
>
> School of Electronics and Telecommunications
>
> Hanoi University of Science and Technology
>
> 1 Dai Co Viet, Ha noi, Viet nam.
>
> Phone: 01656228762
>
> Email:xuantoanbkfet@gmail.com <mailto:Email%3Axuantoanbkfet@gmail.com>
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

I don't think smbd spawns a new process when a new user logs in (that's 
why we have 'force user'), so there's no way for SELinux to identify the 
login user of the SMB service.

Otherwise what could've been done is set the umask to 077 and inherit 
owner, inherit permissions to yes. So DAC whould've been good enough for 
the purpose.

I dont remember how

[-- Attachment #2: Type: text/html, Size: 4059 bytes --]

Re: SAMBA WITH SELINUX

[dE]

[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]

On 05/24/14 08:40, dE wrote:
> On 05/24/14 01:02, toản cù wrote:
>> Hi all!
>>
>>     I just researching policy in selinux and Samba , SELinux has 
>> policy module separate for samba. I only know the label samba_share_t 
>> used to share data when labeled in SELinux enforcing mode.
>>
>>     I want to use SELinux further intervention on the issue 
>> of decentralization for each user to access data on the samba. How 
>> the same file (*. docx, *. txt), user1 can read, write but  user2 is 
>> not.
>>
>>     And one more question: in a group have different users the same 
>> access to the samba. those users have some same rights, and some the 
>> right different. example the rights  to read,write on a file is 
>> different. How to make a difference the rights between users in the 
>> same group
>>
>>  Look forward your help!
>>
>> Thanks!
>>
>>
>> -- 
>> Mr.Toan-Cu Xuan
>>
>> School of Electronics and Telecommunications
>>
>> Hanoi University of Science and Technology
>>
>> 1 Dai Co Viet, Ha noi, Viet nam.
>>
>> Phone: 01656228762
>>
>> Email:xuantoanbkfet@gmail.com <mailto:Email%3Axuantoanbkfet@gmail.com>
>>
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email toSelinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" toSelinux-request@tycho.nsa.gov.
>
> I don't think smbd spawns a new process when a new user logs in 
> (that's why we have 'force user'), so there's no way for SELinux to 
> identify the login user of the SMB service.
>
> Otherwise what could've been done is set the umask to 077 and inherit 
> owner, inherit permissions to yes. So DAC whould've been good enough 
> for the purpose.
>
> I dont remember how

Actually it does.

Set 'username map' and you get what you want with DAC.

[-- Attachment #2: Type: text/html, Size: 4946 bytes --]