I'll grant that the difference is fairly subtle, but it gets into the software design principles of the reference policy. Chiefly, attempting to keep modules loosely coupled by using interfaces rather than global use of type identifiers. With the interface approach, all uses of the ftpd_t type are kept within the ftp module.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Thursday, September 25, 2008 10:15 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list@redhat.com Subject: Re: giving ftp access to specif files and directories
Clarkson, Mike R (US SSA) wrote:
OK, I'll get more specific.
Let's say I've got some_program that I've created a policy module
for so
that it runs in the some_program_t domain. Suppose some_program uses files for various purposes and the module has labeled them, such
that
all the files under the /local/some_dir directory are labeled some_file_t. Further suppose that some_program uses ftp to transfer
one
or more of the files labeled some_file_t, and that the policy writer does not want to label these files public_content_t. The policy
writer
can do something like this:
require {type ftpd_t;} allow ftpd_t some_file_t:file <necessary permissions here>;
Rules giving ftpt_t access to other objects belong in the ftp
module,
but the policy writer really doesn't want to modify the ftp module
for
obvious reasons. This is where it would be nice to have interfaces
in
the ftp module that allowed policy writers to give the ftpd_t domain access to files and directories of specific types. There could
either be
a series of interfaces giving different permissions to choose from
or it
could be handled by a generic interface such as this:
################################################ ## <summary> ## Give the ftpd_t access to specified file type. ## </summary> ## <desc> ## <param name="file_type"> ## File type to which ftpd_t needs access ## </param ## <param name="object type"> ## Type of object (i.e. file or dir) ## </param> ## <param name="permission"> ## Permission needed by ftpd_t(i.e. read, write, etc.) ## </param> interface(`give_ftp_access',` gen_require(` type ftpd_t; ')
allow ftpd_t $1:$2 $3; ')
I don't see where this is any easier then just using the code you
wrote
above.
Other then you don't need the gen_require.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, September 23, 2008 9:16 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list@redhat.com Subject: Re: giving ftp access to specif files and directories
Clarkson, Mike R (US SSA) wrote:
In RHEL5.1, I don't see an interface allowing the policy writer to
give
the ftp daemon access to specific file and directory types. This
would
be nice to have.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Not sure what you are after here. Do you want to label a directory
or
file with public_content_t will allow ftp to gain access.
If the files are labeled something non default you could add allow
rules
using audit2allow -M myftp.
If you want to add a type specific to ftp that other daemons would
not
have access to IE Not public_content_t, you could define a module
type ftp_content_t; files_type(ftp_content_t)
...
Then allow access. And set the labeling correct
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Clarkson, Mike R (US SSA) wrote:
I'll grant that the difference is fairly subtle, but it gets into the software design principles of the reference policy. Chiefly, attempting to keep modules loosely coupled by using interfaces rather than global use of type identifiers. With the interface approach, all uses of the ftpd_t type are kept within the ftp module.
Well submit it upstream and see what Chris thinks.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Thursday, September 25, 2008 10:15 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list@redhat.com Subject: Re: giving ftp access to specif files and directories
Clarkson, Mike R (US SSA) wrote:
OK, I'll get more specific.
Let's say I've got some_program that I've created a policy module
for so
that it runs in the some_program_t domain. Suppose some_program uses files for various purposes and the module has labeled them, such
that
all the files under the /local/some_dir directory are labeled some_file_t. Further suppose that some_program uses ftp to transfer
one
or more of the files labeled some_file_t, and that the policy writer does not want to label these files public_content_t. The policy
writer
can do something like this:
require {type ftpd_t;} allow ftpd_t some_file_t:file <necessary permissions here>;
Rules giving ftpt_t access to other objects belong in the ftp
module,
but the policy writer really doesn't want to modify the ftp module
for
obvious reasons. This is where it would be nice to have interfaces
in
the ftp module that allowed policy writers to give the ftpd_t domain access to files and directories of specific types. There could
either be
a series of interfaces giving different permissions to choose from
or it
could be handled by a generic interface such as this:
################################################ ## <summary> ## Give the ftpd_t access to specified file type. ## </summary> ## <desc> ## <param name="file_type"> ## File type to which ftpd_t needs access ## </param ## <param name="object type"> ## Type of object (i.e. file or dir) ## </param> ## <param name="permission"> ## Permission needed by ftpd_t(i.e. read, write, etc.) ## </param> interface(`give_ftp_access',` gen_require(` type ftpd_t; ')
allow ftpd_t $1:$2 $3; ')
I don't see where this is any easier then just using the code you
wrote
above.
Other then you don't need the gen_require.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, September 23, 2008 9:16 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list@redhat.com Subject: Re: giving ftp access to specif files and directories
Clarkson, Mike R (US SSA) wrote:
In RHEL5.1, I don't see an interface allowing the policy writer to
give
the ftp daemon access to specific file and directory types. This
would
be nice to have.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Not sure what you are after here. Do you want to label a directory
or
file with public_content_t will allow ftp to gain access.
If the files are labeled something non default you could add allow
rules
using audit2allow -M myftp.
If you want to add a type specific to ftp that other daemons would
not
have access to IE Not public_content_t, you could define a module
type ftp_content_t; files_type(ftp_content_t)
...
Then allow access. And set the labeling correct
selinux@lists.fedoraproject.org