Sharing user content with file ACLs
Access control lists allow for more fine-grained access controls on files. Instead of using a common group ownership, access to files can be individually granted to users or groups.
However, the access controls that SELinux enables should also be tailored to this situation. Features such as the user-based access control constraints in SELinux might prevent sharing user content altogether, regardless of the ACLs set on the file.
How to do it…
Assuming that a user wants to allow read and read-write accesses to a set of files and directories, the following set of steps can be used:
Create an accessible location outside the user's home directory:
~# mkdir -p /home/share/ ~# chmod 1777 /home/share/
Create an SELinux file type that can be used for sharing resources:
type user_share_t; files_type(user_share_t)
Create an interface allowing users to administer the resource:
interface(`userdom_admin_user_share',' gen_require(` type user_share_t; ') admin_pattern...
