cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
TudorRaduta
Community Manager
Community Manager
16 hours ago
  • 62 Views

Monday Mission: Solving the "Mixed Environment" Nightmare

Thanks again to everyone who tackled Friday’s challenge @Architect_005 @sa_sachin @SANJURAJ @martindxc! Your answers set the bar and inspired today’s tougher, architect-level mission.

The Protocol War (SMB vs SSH vs Services)

Friday's permissions hackathon drew some amazing solutions and one piece of feedback from @martindxc stood out: "Real environments are more chaotic than exercises."

Challenge accepted. Today’s mission is a 10/10 difficulty scenario.

The Mission

Build a storage location that accepts Read/Write access from three different protocols — at the same time — without throwing permission errors or locking users out.

The Players:

  • Team Windows (Samba): Marketing users mapping \server\assets via AD credentials.
  • Team Linux (SCP/SFTP): Developers uploading large files via terminal tools.
  • The Robot (Service): A local upload daemon (e.g., Nextcloud / Immich) running as svc_upload.

The Map:

You’ll need a layered approach — standard permissions, ACL inheritance, and SELinux labels working together.

  • man setfacl (default ACLs)
  • man chmod (SGID magic)
  • man samba_selinux (service-level access booleans)

Your Architect Challenge

The Scenario: The shared location is /srv/assets. Any file created by any source must be fully accessible (read, write, delete) by the other two. No “Permission denied,” no locking.

Post your architecture:

  1. The Foundation: Create a group collaboration and set the directory ownership and SGID correctly. What are your chown and chmod commands?
  2. The Magic (ACLs): Some tools create files with restrictive masks (e.g., 644). Provide the setfacl command that ensures all **future** files give rwx to the collaboration group automatically.
  3. The Security Layer (SELinux): You label the directory as samba_share_t for Windows users—but your local svc_upload service gets blocked. What SELinux context or boolean allows **multiple unrelated services** to write to this folder safely?

Who’s ready for the architect tier? Post your solution below.

Join the discussion
1 Reply
Architect_005
Cadet
Cadet
12 hours ago
  • 26 Views

Hi 
This is we nice challenge. Got to learn few things which i haven't done. We can follow the below steps for the above challenge. 

1. The Foundation: Create a group collaboration and set the directory ownership and SGID correctly. What are your chown and chmod commands?
sudo groupadd collaboration
sudo chown root:collaboration /srv/assets
sudo chmod g+s /srv/assets
 
2. The Magic (ACLs): Some tools create files with restrictive masks (e.g., 644). Provide the setfacl command that ensures all **future** files give rwx to the collaboration group automatically.
    sudo setfacl -R -m g:collaboration:rwx /srv/assets
    sudo setfacl -m d:g:collaboration:rwx /srv/assets
 
3. The Security Layer (SELinux): You label the directory as samba_share_t for Windows users—but your local svc_upload service gets blocked. What SELinux context or boolean allows **multiple unrelated services** to write to this folder safely?
 
- Using public_content_rw_t + boolean keeps it safe and policy‑compliant, while allowing multiple unrelated services.
 
sudo semanage fcontext -a -t public_content_rw_t "/srv/assets(/.*)?"
sudo restorecon -Rv /srv/assets
sudo setsebool -P allow_rw_shared_user_content on
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright @ 2025 Red Hat Privacy statement Terms of service Community Guidelines