On Wed, 2004-10-13 at 10:22, Colin Walters wrote:
> There is a policy boolean ftp_home_dir which you'd think, if turned on,
> would allow access, but it appears to be broken. Try inserting
>
> allow ftpd_t user_home_dir_type:dir { search getattr };
> rw_dir_create_file(ftpd_t,user_home_type);
>
> inside the if (ftp_home_dir) {}.
Under strict policy, this is handled via the file_type_auto_trans(ftpd_,
$1_home_dir_t, $1_home_t) line in user_macros.te, which is wrapped by
the conditional. Note that the file type transition rule is important to
ensure that files created in the user home directory get the correct
type.
This reflects a general issue with strict vs. targeted; in many cases,
rules to per-userdomain types are granted via the user macros (sometimes
indirectly via an included program macro within the user macro) and the
user macros are not part of the targeted policy. End result is that
targeted policy loses rules that may be important.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
