giving ftp access to specif files and directories

Thu Sep 25 18:40:14 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Clarkson, Mike R (US SSA) wrote:
> I'll grant that the difference is fairly subtle, but it gets into the
> software design principles of the reference policy. Chiefly, attempting
> to keep modules loosely coupled by using interfaces rather than global
> use of type identifiers. With the interface approach, all uses of the
> ftpd_t type are kept within the ftp module.
> 
Well submit it upstream and see what Chris thinks.
>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>> Sent: Thursday, September 25, 2008 10:15 AM
>> To: Clarkson, Mike R (US SSA)
>> Cc: fedora-selinux-list at redhat.com
>> Subject: Re: giving ftp access to specif files and directories
>>
>> Clarkson, Mike R (US SSA) wrote:
>>> OK, I'll get more specific.
>>>
>>> Let's say I've got some_program that I've created a policy module
> for so
>>> that it runs in the some_program_t domain. Suppose some_program uses
>>> files for various purposes and the module has labeled them, such
> that
>>> all the files under the /local/some_dir directory are labeled
>>> some_file_t. Further suppose that some_program uses ftp to transfer
> one
>>> or more of the files labeled some_file_t, and that the policy writer
>>> does not want to label these files public_content_t. The policy
> writer
>>> can do something like this:
>>>
>>> require {type ftpd_t;}
>>> allow ftpd_t some_file_t:file <necessary permissions here>;
>>>
>>> Rules giving ftpt_t access to other objects belong in the ftp
> module,
>>> but the policy writer really doesn't want to modify the ftp module
> for
>>> obvious reasons. This is where it would be nice to have interfaces
> in
>>> the ftp module that allowed policy writers to give the ftpd_t domain
>>> access to files and directories of specific types. There could
> either be
>>> a series of interfaces giving different permissions to choose from
> or it
>>> could be handled by a generic interface such as this:
>>>
>>> ################################################
>>> ## <summary>
>>> ## Give the ftpd_t access to specified file type.
>>> ## </summary>
>>> ## <desc>
>>> ## <param name="file_type">
>>> ## File type to which ftpd_t needs access
>>> ## </param
>>> ## <param name="object type">
>>> ## Type of object (i.e. file or dir)
>>> ## </param>
>>> ## <param name="permission">
>>> ## Permission needed by ftpd_t(i.e. read, write, etc.)
>>> ## </param>
>>> interface(`give_ftp_access',`
>>>   gen_require(`
>>>     type ftpd_t;
>>>   ')
>>>
>>>   allow ftpd_t $1:$2 $3;
>>> ')
>>>
>> I don't see where this is any easier then just using the code you
> wrote
>> above.
>>
>> Other then you don't need the gen_require.
>>
>>>> -----Original Message-----
>>>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>>> Sent: Tuesday, September 23, 2008 9:16 AM
>>>> To: Clarkson, Mike R (US SSA)
>>>> Cc: fedora-selinux-list at redhat.com
>>>> Subject: Re: giving ftp access to specif files and directories
>>>>
>>>> Clarkson, Mike R (US SSA) wrote:
>>>>> In RHEL5.1, I don't see an interface allowing the policy writer to
>>> give
>>>>> the ftp daemon access to specific file and directory types. This
>>> would
>>>>> be nice to have.
>>>>>
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> Not sure what you are after here.  Do you want to label a directory
> or
>>>> file with public_content_t will allow ftp to gain access.
>>>>
>>>> If the files are labeled something non default you could add allow
>>> rules
>>>> using audit2allow -M myftp.
>>>>
>>>> If you want to add a type specific to ftp that other daemons would
> not
>>>> have access to IE Not public_content_t, you could define a module
>>>>
>>>> type ftp_content_t;
>>>> files_type(ftp_content_t)
>>>>
>>>> ...
>>>>
>>>> Then allow access.  And set the labeling correct
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjb2w4ACgkQrlYvE4MpobNFAwCgkJ5B5icfolq3AZiaU1eHlkzA
oDoAniz36nB7GPGuJS8PYM9GJg+QhmuV
=5Qv5
-----END PGP SIGNATURE-----