OK, I'll get more specific.
Let's say I've got some_program that I've created a policy module for so that it runs in the some_program_t domain. Suppose some_program uses files for various purposes and the module has labeled them, such that all the files under the /local/some_dir directory are labeled some_file_t. Further suppose that some_program uses ftp to transfer one or more of the files labeled some_file_t, and that the policy writer does not want to label these files public_content_t. The policy writer can do something like this:
require {type ftpd_t;} allow ftpd_t some_file_t:file <necessary permissions here>;
Rules giving ftpt_t access to other objects belong in the ftp module, but the policy writer really doesn't want to modify the ftp module for obvious reasons. This is where it would be nice to have interfaces in the ftp module that allowed policy writers to give the ftpd_t domain access to files and directories of specific types. There could either be a series of interfaces giving different permissions to choose from or it could be handled by a generic interface such as this:
################################################ ## <summary> ## Give the ftpd_t access to specified file type. ## </summary> ## <desc> ## <param name="file_type"> ## File type to which ftpd_t needs access ## </param ## <param name="object type"> ## Type of object (i.e. file or dir) ## </param> ## <param name="permission"> ## Permission needed by ftpd_t(i.e. read, write, etc.) ## </param> interface(`give_ftp_access',` gen_require(` type ftpd_t; ')
allow ftpd_t $1:$2 $3; ')
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, September 23, 2008 9:16 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list@redhat.com Subject: Re: giving ftp access to specif files and directories
Clarkson, Mike R (US SSA) wrote:
In RHEL5.1, I don't see an interface allowing the policy writer to
give
the ftp daemon access to specific file and directory types. This
would
be nice to have.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Not sure what you are after here. Do you want to label a directory or file with public_content_t will allow ftp to gain access.
If the files are labeled something non default you could add allow
rules
using audit2allow -M myftp.
If you want to add a type specific to ftp that other daemons would not have access to IE Not public_content_t, you could define a module
type ftp_content_t; files_type(ftp_content_t)
...
Then allow access. And set the labeling correct
Clarkson, Mike R (US SSA) wrote:
OK, I'll get more specific.
Let's say I've got some_program that I've created a policy module for so that it runs in the some_program_t domain. Suppose some_program uses files for various purposes and the module has labeled them, such that all the files under the /local/some_dir directory are labeled some_file_t. Further suppose that some_program uses ftp to transfer one or more of the files labeled some_file_t, and that the policy writer does not want to label these files public_content_t. The policy writer can do something like this:
require {type ftpd_t;} allow ftpd_t some_file_t:file <necessary permissions here>;
Rules giving ftpt_t access to other objects belong in the ftp module, but the policy writer really doesn't want to modify the ftp module for obvious reasons. This is where it would be nice to have interfaces in the ftp module that allowed policy writers to give the ftpd_t domain access to files and directories of specific types. There could either be a series of interfaces giving different permissions to choose from or it could be handled by a generic interface such as this:
################################################ ## <summary> ## Give the ftpd_t access to specified file type. ## </summary> ## <desc> ## <param name="file_type"> ## File type to which ftpd_t needs access ## </param ## <param name="object type"> ## Type of object (i.e. file or dir) ## </param> ## <param name="permission"> ## Permission needed by ftpd_t(i.e. read, write, etc.) ## </param> interface(`give_ftp_access',` gen_require(` type ftpd_t; ')
allow ftpd_t $1:$2 $3; ')
I don't see where this is any easier then just using the code you wrote above.
Other then you don't need the gen_require.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, September 23, 2008 9:16 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list@redhat.com Subject: Re: giving ftp access to specif files and directories
Clarkson, Mike R (US SSA) wrote:
In RHEL5.1, I don't see an interface allowing the policy writer to
give
the ftp daemon access to specific file and directory types. This
would
be nice to have.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Not sure what you are after here. Do you want to label a directory or file with public_content_t will allow ftp to gain access.
If the files are labeled something non default you could add allow
rules
using audit2allow -M myftp.
If you want to add a type specific to ftp that other daemons would not have access to IE Not public_content_t, you could define a module
type ftp_content_t; files_type(ftp_content_t)
...
Then allow access. And set the labeling correct
selinux@lists.fedoraproject.org