giving ftp access to specif files and directories

Tue Sep 23 20:58:22 UTC 2008

OK, I'll get more specific.

Let's say I've got some_program that I've created a policy module for so
that it runs in the some_program_t domain. Suppose some_program uses
files for various purposes and the module has labeled them, such that
all the files under the /local/some_dir directory are labeled
some_file_t. Further suppose that some_program uses ftp to transfer one
or more of the files labeled some_file_t, and that the policy writer
does not want to label these files public_content_t. The policy writer
can do something like this:

require {type ftpd_t;}
allow ftpd_t some_file_t:file <necessary permissions here>;

Rules giving ftpt_t access to other objects belong in the ftp module,
but the policy writer really doesn't want to modify the ftp module for
obvious reasons. This is where it would be nice to have interfaces in
the ftp module that allowed policy writers to give the ftpd_t domain
access to files and directories of specific types. There could either be
a series of interfaces giving different permissions to choose from or it
could be handled by a generic interface such as this:

################################################
## <summary>
## Give the ftpd_t access to specified file type.
## </summary>
## <desc>
## <param name="file_type">
## File type to which ftpd_t needs access
## </param
## <param name="object type"> 
## Type of object (i.e. file or dir)
## </param>
## <param name="permission"> 
## Permission needed by ftpd_t(i.e. read, write, etc.)
## </param>
interface(`give_ftp_access',`
  gen_require(`
    type ftpd_t;
  ')

  allow ftpd_t $1:$2 $3;
')

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
> Sent: Tuesday, September 23, 2008 9:16 AM
> To: Clarkson, Mike R (US SSA)
> Cc: fedora-selinux-list at redhat.com
> Subject: Re: giving ftp access to specif files and directories
> 
> Clarkson, Mike R (US SSA) wrote:
> > In RHEL5.1, I don't see an interface allowing the policy writer to
give
> > the ftp daemon access to specific file and directory types. This
would
> > be nice to have.
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Not sure what you are after here.  Do you want to label a directory or
> file with public_content_t will allow ftp to gain access.
> 
> If the files are labeled something non default you could add allow
rules
> using audit2allow -M myftp.
> 
> If you want to add a type specific to ftp that other daemons would not
> have access to IE Not public_content_t, you could define a module
> 
> type ftp_content_t;
> files_type(ftp_content_t)
> 
> ...
> 
> Then allow access.  And set the labeling correct