4.2. Types
The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
By default, anonymous users have read access to files in
/var/ftp/
when they log in via FTP. This directory is labeled with the public_content_t
type, allowing only read access, even if write access is configured in /etc/vsftpd/vsftpd.conf
. The public_content_t
type is accessible to other services, such as Apache HTTP Server, Samba, and NFS.
Use one of the following types to share files through FTP:
public_content_t
- Label files and directories you have created with the
public_content_t
type to share them read-only through vsftpd. Other services, such as Apache HTTP Server, Samba, and NFS, also have access to files labeled with this type. Files labeled with thepublic_content_t
type cannot be written to, even if Linux permissions allow write access. If you require write access, use thepublic_content_rw_t
type. public_content_rw_t
- Label files and directories you have created with the
public_content_rw_t
type to share them with read and write permissions throughvsftpd
. Other services, such as Apache HTTP Server, Samba, and NFS, also have access to files labeled with this type. Remember that Booleans for each service must be enabled before they can write to files labeled with this type.