netatalk icon indicating copy to clipboard operation
netatalk copied to clipboard
verified publisher icon Netatalk

Selinux Policy Request

Open specializedtom opened this issue 8 months ago • 1 comments

Is your feature request related to a problem? Please describe. By default, Fedora (and other flavours of Linux that use SeLinux) do not have an SeLinux policy . This presents a security issue, particularly for those people trying to get Mac's using Time Machine that are stuck using AFP. (eg. v12.7)

Describe alternatives you've considered I've considered other non-SeLinux flavored Linux OS's, however considering other system applications I am also running, I would rather have SeLinux running on my server to isolate access from other running processes .

If someone can write an SeLinux policy specific for Netatalk, that would help immensely. I am sure other Netatalk admin have also come across this issue.

specializedtom avatar Apr 15 '25 21:04 specializedtom

This is a new area for me, so I had to do some reading. The most informative resource I could find is this custom policy guide from Red Hat.

IINM, in addition to a standard netatalk policy, you'd have to customize it to allow afpd (and perhaps other daemons too) access to all of the shared volume dirs that you define.

Anyways, no guarantees, but I'll try to tinker with these policies when I have time to spare.

rdmark avatar Apr 20 '25 13:04 rdmark

An selinux policy has been added to contrib/selinux in the netatalk code tree in the main branch (bleeding edge development code). See the readme and run netatalk.sh to build and install the policy. Consider this alpha level software: should work in theory but hasn't been proven yet in a production environment. Please share your feedback if you get to try it out!

rdmark avatar Oct 06 '25 05:10 rdmark

Thanks for following through on this issue @rdmark . When I get a spare chance, I'll test the changes out and let you know the outcome.

specializedtom avatar Oct 06 '25 05:10 specializedtom