giving ftp access to specif files and directories

Thu Sep 25 17:36:08 UTC 2008

I'll grant that the difference is fairly subtle, but it gets into the
software design principles of the reference policy. Chiefly, attempting
to keep modules loosely coupled by using interfaces rather than global
use of type identifiers. With the interface approach, all uses of the
ftpd_t type are kept within the ftp module.

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
> Sent: Thursday, September 25, 2008 10:15 AM
> To: Clarkson, Mike R (US SSA)
> Cc: fedora-selinux-list at redhat.com
> Subject: Re: giving ftp access to specif files and directories
> 
> Clarkson, Mike R (US SSA) wrote:
> > OK, I'll get more specific.
> >
> > Let's say I've got some_program that I've created a policy module
for so
> > that it runs in the some_program_t domain. Suppose some_program uses
> > files for various purposes and the module has labeled them, such
that
> > all the files under the /local/some_dir directory are labeled
> > some_file_t. Further suppose that some_program uses ftp to transfer
one
> > or more of the files labeled some_file_t, and that the policy writer
> > does not want to label these files public_content_t. The policy
writer
> > can do something like this:
> >
> > require {type ftpd_t;}
> > allow ftpd_t some_file_t:file <necessary permissions here>;
> >
> > Rules giving ftpt_t access to other objects belong in the ftp
module,
> > but the policy writer really doesn't want to modify the ftp module
for
> > obvious reasons. This is where it would be nice to have interfaces
in
> > the ftp module that allowed policy writers to give the ftpd_t domain
> > access to files and directories of specific types. There could
either be
> > a series of interfaces giving different permissions to choose from
or it
> > could be handled by a generic interface such as this:
> >
> > ################################################
> > ## <summary>
> > ## Give the ftpd_t access to specified file type.
> > ## </summary>
> > ## <desc>
> > ## <param name="file_type">
> > ## File type to which ftpd_t needs access
> > ## </param
> > ## <param name="object type">
> > ## Type of object (i.e. file or dir)
> > ## </param>
> > ## <param name="permission">
> > ## Permission needed by ftpd_t(i.e. read, write, etc.)
> > ## </param>
> > interface(`give_ftp_access',`
> >   gen_require(`
> >     type ftpd_t;
> >   ')
> >
> >   allow ftpd_t $1:$2 $3;
> > ')
> >
> I don't see where this is any easier then just using the code you
wrote
> above.
> 
> Other then you don't need the gen_require.
> 
> >> -----Original Message-----
> >> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
> >> Sent: Tuesday, September 23, 2008 9:16 AM
> >> To: Clarkson, Mike R (US SSA)
> >> Cc: fedora-selinux-list at redhat.com
> >> Subject: Re: giving ftp access to specif files and directories
> >>
> >> Clarkson, Mike R (US SSA) wrote:
> >>> In RHEL5.1, I don't see an interface allowing the policy writer to
> > give
> >>> the ftp daemon access to specific file and directory types. This
> > would
> >>> be nice to have.
> >>>
> >>>
> >>> --
> >>> fedora-selinux-list mailing list
> >>> fedora-selinux-list at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> Not sure what you are after here.  Do you want to label a directory
or
> >> file with public_content_t will allow ftp to gain access.
> >>
> >> If the files are labeled something non default you could add allow
> > rules
> >> using audit2allow -M myftp.
> >>
> >> If you want to add a type specific to ftp that other daemons would
not
> >> have access to IE Not public_content_t, you could define a module
> >>
> >> type ftp_content_t;
> >> files_type(ftp_content_t)
> >>
> >> ...
> >>
> >> Then allow access.  And set the labeling correct
> >