On 05/24/14 08:40, dE wrote:
On 05/24/14 01:02, toản cù wrote:
Hi all! 

    I just researching policy in selinux and Samba , SELinux has policy module separate for samba. I only know the label samba_share_t used to share data when labeled in SELinux enforcing mode.

    I want to use SELinux further intervention on the issue of decentralization for each user to access data on the samba. How the same file (*. docx, *. txt), user1 can read, write but  user2 is not. 

    And one more question: in a group have different users the same access to the samba. those users have some same rights, and some the right different. example the rights  to read,write on a file is different. How to make a difference the rights between users in the same group

 Look forward your help!

Thanks!


--
Mr.Toan-Cu Xuan

School of Electronics and Telecommunications

Hanoi University of Science and Technology

1 Dai Co Viet, Ha noi, Viet nam.

Phone: 01656228762

Email:xuantoanbkfet@gmail.com



_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

I don't think smbd spawns a new process when a new user logs in (that's why we have 'force user'), so there's no way for SELinux to identify the login user of the SMB service.

Otherwise what could've been done is set the umask to 077 and inherit owner, inherit permissions to yes. So DAC whould've been good enough for the purpose.

I dont remember how

Actually it does.

Set 'username map' and you get what you want with DAC.