giving ftp access to specif files and directories

Thu Sep 25 17:14:50 UTC 2008

Clarkson, Mike R (US SSA) wrote:
> OK, I'll get more specific.
> 
> Let's say I've got some_program that I've created a policy module for so
> that it runs in the some_program_t domain. Suppose some_program uses
> files for various purposes and the module has labeled them, such that
> all the files under the /local/some_dir directory are labeled
> some_file_t. Further suppose that some_program uses ftp to transfer one
> or more of the files labeled some_file_t, and that the policy writer
> does not want to label these files public_content_t. The policy writer
> can do something like this:
> 
> require {type ftpd_t;}
> allow ftpd_t some_file_t:file <necessary permissions here>;
> 
> Rules giving ftpt_t access to other objects belong in the ftp module,
> but the policy writer really doesn't want to modify the ftp module for
> obvious reasons. This is where it would be nice to have interfaces in
> the ftp module that allowed policy writers to give the ftpd_t domain
> access to files and directories of specific types. There could either be
> a series of interfaces giving different permissions to choose from or it
> could be handled by a generic interface such as this:
> 
> ################################################
> ## <summary>
> ## Give the ftpd_t access to specified file type.
> ## </summary>
> ## <desc>
> ## <param name="file_type">
> ## File type to which ftpd_t needs access
> ## </param
> ## <param name="object type"> 
> ## Type of object (i.e. file or dir)
> ## </param>
> ## <param name="permission"> 
> ## Permission needed by ftpd_t(i.e. read, write, etc.)
> ## </param>
> interface(`give_ftp_access',`
>   gen_require(`
>     type ftpd_t;
>   ')
> 
>   allow ftpd_t $1:$2 $3;
> ')
>
I don't see where this is any easier then just using the code you wrote
above.

Other then you don't need the gen_require.

>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>> Sent: Tuesday, September 23, 2008 9:16 AM
>> To: Clarkson, Mike R (US SSA)
>> Cc: fedora-selinux-list at redhat.com
>> Subject: Re: giving ftp access to specif files and directories
>>
>> Clarkson, Mike R (US SSA) wrote:
>>> In RHEL5.1, I don't see an interface allowing the policy writer to
> give
>>> the ftp daemon access to specific file and directory types. This
> would
>>> be nice to have.
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Not sure what you are after here.  Do you want to label a directory or
>> file with public_content_t will allow ftp to gain access.
>>
>> If the files are labeled something non default you could add allow
> rules
>> using audit2allow -M myftp.
>>
>> If you want to add a type specific to ftp that other daemons would not
>> have access to IE Not public_content_t, you could define a module
>>
>> type ftp_content_t;
>> files_type(ftp_content_t)
>>
>> ...
>>
>> Then allow access.  And set the labeling correct
> 