[selinux-policy: 716/3172] more pieces of ftp

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:06:46 UTC 2010 

commit a5ec7cb6c4350ca2fdf8212924377dbdcdebd96a
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Sep 29 13:32:28 2005 +0000

    more pieces of ftp

 refpolicy/policy/global_tunables           |    6 ++++++
 refpolicy/policy/modules/kernel/storage.if |   28 ++++++++++------------------
 2 files changed, 16 insertions(+), 18 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 508631b..27dbff8 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -42,6 +42,12 @@ gen_tunable(cron_can_relabel,false)
 ## to support fcron.
 gen_tunable(fcron_crond,false)
 
+## Allow ftp to read and write files in the user home directories
+gen_tunable(ftp_home_dir,false)
+
+## Allow ftpd to run directly without inetd
+gen_tunable(ftpd_is_daemon,false)
+
 ## Allow BIND to write the master zone files.
 ## Generally this is used for dynamic DNS.
 gen_tunable(named_write_master_zones,false)
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 6addf2f..b870ccf 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -293,11 +293,10 @@ interface(`storage_raw_write_lvm_volume',`
 interface(`storage_getattr_scsi_generic',`
 	gen_require(`
 		type scsi_generic_device_t;
-		class blk_file getattr;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:blk_file getattr;
+	allow $1 scsi_generic_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -312,11 +311,10 @@ interface(`storage_getattr_scsi_generic',`
 interface(`storage_setattr_scsi_generic',`
 	gen_require(`
 		type scsi_generic_device_t;
-		class blk_file setattr;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:blk_file setattr;
+	allow $1 scsi_generic_device_t:chr_file setattr;
 ')
 
 ########################################
@@ -358,11 +356,10 @@ interface(`storage_write_scsi_generic',`
 	gen_require(`
 		attribute scsi_generic_write;
 		type scsi_generic_device_t;
-		class blk_file { getattr write ioctl };
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
+	allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
 	typeattribute $1 scsi_generic_write;
 ')
 
@@ -378,11 +375,10 @@ interface(`storage_write_scsi_generic',`
 interface(`storage_getattr_scsi_generic',`
 	gen_require(`
 		type scsi_generic_device_t;
-		class blk_file getattr;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:blk_file getattr;
+	allow $1 scsi_generic_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -397,11 +393,10 @@ interface(`storage_getattr_scsi_generic',`
 interface(`storage_set_scsi_generic_attributes',`
 	gen_require(`
 		type scsi_generic_device_t;
-		class blk_file setattr;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:blk_file setattr;
+	allow $1 scsi_generic_device_t:chr_file setattr;
 ')
 
 ########################################
@@ -571,11 +566,10 @@ interface(`storage_read_tape_device',`
 interface(`storage_write_tape_device',`
 	gen_require(`
 		type tape_device_t;
-		class blk_file { getattr write ioctl };
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tape_device_t:blk_file { getattr write ioctl };
+	allow $1 tape_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
@@ -590,11 +584,10 @@ interface(`storage_write_tape_device',`
 interface(`storage_getattr_tape_device',`
 	gen_require(`
 		type tape_device_t;
-		class blk_file getattr;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tape_device_t:blk_file getattr;
+	allow $1 tape_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -609,11 +602,10 @@ interface(`storage_getattr_tape_device',`
 interface(`storage_setattr_tape_device',`
 	gen_require(`
 		type tape_device_t;
-		class blk_file setattr;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tape_device_t:blk_file setattr;
+	allow $1 tape_device_t:chr_file setattr;
 ')
 
 ########################################
@@ -632,8 +624,8 @@ interface(`storage_unconfined',`
 		attribute scsi_generic_read, scsi_generic_write;
 	')
 
-	allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
-	allow $1 { lvm_vg_t scsi_generic_device_t tape_device_t }:blk_file *;
+	allow $1 { fixed_disk_device_t removable_device_t lvm_vg_t }:blk_file *;
+	allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
 
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 	typeattribute $1 scsi_generic_read, scsi_generic_write;

More information about the scm-commits mailing list