-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Clarkson, Mike R (US SSA) wrote: > I'll grant that the difference is fairly subtle, but it gets into the > software design principles of the reference policy. Chiefly, attempting > to keep modules loosely coupled by using interfaces rather than global > use of type identifiers. With the interface approach, all uses of the > ftpd_t type are kept within the ftp module. > Well submit it upstream and see what Chris thinks. >> -----Original Message----- >> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >> Sent: Thursday, September 25, 2008 10:15 AM >> To: Clarkson, Mike R (US SSA) >> Cc: fedora-selinux-list@xxxxxxxxxx >> Subject: Re: giving ftp access to specif files and directories >> >> Clarkson, Mike R (US SSA) wrote: >>> OK, I'll get more specific. >>> >>> Let's say I've got some_program that I've created a policy module > for so >>> that it runs in the some_program_t domain. Suppose some_program uses >>> files for various purposes and the module has labeled them, such > that >>> all the files under the /local/some_dir directory are labeled >>> some_file_t. Further suppose that some_program uses ftp to transfer > one >>> or more of the files labeled some_file_t, and that the policy writer >>> does not want to label these files public_content_t. The policy > writer >>> can do something like this: >>> >>> require {type ftpd_t;} >>> allow ftpd_t some_file_t:file <necessary permissions here>; >>> >>> Rules giving ftpt_t access to other objects belong in the ftp > module, >>> but the policy writer really doesn't want to modify the ftp module > for >>> obvious reasons. This is where it would be nice to have interfaces > in >>> the ftp module that allowed policy writers to give the ftpd_t domain >>> access to files and directories of specific types. There could > either be >>> a series of interfaces giving different permissions to choose from > or it >>> could be handled by a generic interface such as this: >>> >>> ################################################ >>> ## <summary> >>> ## Give the ftpd_t access to specified file type. >>> ## </summary> >>> ## <desc> >>> ## <param name="file_type"> >>> ## File type to which ftpd_t needs access >>> ## </param >>> ## <param name="object type"> >>> ## Type of object (i.e. file or dir) >>> ## </param> >>> ## <param name="permission"> >>> ## Permission needed by ftpd_t(i.e. read, write, etc.) >>> ## </param> >>> interface(`give_ftp_access',` >>> gen_require(` >>> type ftpd_t; >>> ') >>> >>> allow ftpd_t $1:$2 $3; >>> ') >>> >> I don't see where this is any easier then just using the code you > wrote >> above. >> >> Other then you don't need the gen_require. >> >>>> -----Original Message----- >>>> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >>>> Sent: Tuesday, September 23, 2008 9:16 AM >>>> To: Clarkson, Mike R (US SSA) >>>> Cc: fedora-selinux-list@xxxxxxxxxx >>>> Subject: Re: giving ftp access to specif files and directories >>>> >>>> Clarkson, Mike R (US SSA) wrote: >>>>> In RHEL5.1, I don't see an interface allowing the policy writer to >>> give >>>>> the ftp daemon access to specific file and directory types. This >>> would >>>>> be nice to have. >>>>> >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list@xxxxxxxxxx >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> Not sure what you are after here. Do you want to label a directory > or >>>> file with public_content_t will allow ftp to gain access. >>>> >>>> If the files are labeled something non default you could add allow >>> rules >>>> using audit2allow -M myftp. >>>> >>>> If you want to add a type specific to ftp that other daemons would > not >>>> have access to IE Not public_content_t, you could define a module >>>> >>>> type ftp_content_t; >>>> files_type(ftp_content_t) >>>> >>>> ... >>>> >>>> Then allow access. And set the labeling correct > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjb2w4ACgkQrlYvE4MpobNFAwCgkJ5B5icfolq3AZiaU1eHlkzA oDoAniz36nB7GPGuJS8PYM9GJg+QhmuV =5Qv5 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
