FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-22-2008, 07:42 PM
"Clarkson, Mike R (US SSA)"
 
Default giving ftp access to specif files and directories

In RHEL5.1, I don't see an interface allowing the policy writer to give
the ftp daemon access to specific file and directory types. This would
be nice to have.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-23-2008, 04:16 PM
Daniel J Walsh
 
Default giving ftp access to specif files and directories

Clarkson, Mike R (US SSA) wrote:
> In RHEL5.1, I don't see an interface allowing the policy writer to give
> the ftp daemon access to specific file and directory types. This would
> be nice to have.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Not sure what you are after here. Do you want to label a directory or
file with public_content_t will allow ftp to gain access.

If the files are labeled something non default you could add allow rules
using audit2allow -M myftp.

If you want to add a type specific to ftp that other daemons would not
have access to IE Not public_content_t, you could define a module

type ftp_content_t;
files_type(ftp_content_t)

...

Then allow access. And set the labeling correct

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-23-2008, 08:58 PM
"Clarkson, Mike R (US SSA)"
 
Default giving ftp access to specif files and directories

OK, I'll get more specific.

Let's say I've got some_program that I've created a policy module for so
that it runs in the some_program_t domain. Suppose some_program uses
files for various purposes and the module has labeled them, such that
all the files under the /local/some_dir directory are labeled
some_file_t. Further suppose that some_program uses ftp to transfer one
or more of the files labeled some_file_t, and that the policy writer
does not want to label these files public_content_t. The policy writer
can do something like this:

require {type ftpd_t;}
allow ftpd_t some_file_t:file <necessary permissions here>;

Rules giving ftpt_t access to other objects belong in the ftp module,
but the policy writer really doesn't want to modify the ftp module for
obvious reasons. This is where it would be nice to have interfaces in
the ftp module that allowed policy writers to give the ftpd_t domain
access to files and directories of specific types. There could either be
a series of interfaces giving different permissions to choose from or it
could be handled by a generic interface such as this:

################################################
## <summary>
## Give the ftpd_t access to specified file type.
## </summary>
## <desc>
## <param name="file_type">
## File type to which ftpd_t needs access
## </param
## <param name="object type">
## Type of object (i.e. file or dir)
## </param>
## <param name="permission">
## Permission needed by ftpd_t(i.e. read, write, etc.)
## </param>
interface(`give_ftp_access',`
gen_require(`
type ftpd_t;
')

allow ftpd_t $1:$2 $3;
')

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: Tuesday, September 23, 2008 9:16 AM
> To: Clarkson, Mike R (US SSA)
> Cc: fedora-selinux-list@redhat.com
> Subject: Re: giving ftp access to specif files and directories
>
> Clarkson, Mike R (US SSA) wrote:
> > In RHEL5.1, I don't see an interface allowing the policy writer to
give
> > the ftp daemon access to specific file and directory types. This
would
> > be nice to have.
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Not sure what you are after here. Do you want to label a directory or
> file with public_content_t will allow ftp to gain access.
>
> If the files are labeled something non default you could add allow
rules
> using audit2allow -M myftp.
>
> If you want to add a type specific to ftp that other daemons would not
> have access to IE Not public_content_t, you could define a module
>
> type ftp_content_t;
> files_type(ftp_content_t)
>
> ...
>
> Then allow access. And set the labeling correct


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-25-2008, 05:14 PM
Daniel J Walsh
 
Default giving ftp access to specif files and directories

Clarkson, Mike R (US SSA) wrote:
> OK, I'll get more specific.
>
> Let's say I've got some_program that I've created a policy module for so
> that it runs in the some_program_t domain. Suppose some_program uses
> files for various purposes and the module has labeled them, such that
> all the files under the /local/some_dir directory are labeled
> some_file_t. Further suppose that some_program uses ftp to transfer one
> or more of the files labeled some_file_t, and that the policy writer
> does not want to label these files public_content_t. The policy writer
> can do something like this:
>
> require {type ftpd_t;}
> allow ftpd_t some_file_t:file <necessary permissions here>;
>
> Rules giving ftpt_t access to other objects belong in the ftp module,
> but the policy writer really doesn't want to modify the ftp module for
> obvious reasons. This is where it would be nice to have interfaces in
> the ftp module that allowed policy writers to give the ftpd_t domain
> access to files and directories of specific types. There could either be
> a series of interfaces giving different permissions to choose from or it
> could be handled by a generic interface such as this:
>
> ################################################
> ## <summary>
> ## Give the ftpd_t access to specified file type.
> ## </summary>
> ## <desc>
> ## <param name="file_type">
> ## File type to which ftpd_t needs access
> ## </param
> ## <param name="object type">
> ## Type of object (i.e. file or dir)
> ## </param>
> ## <param name="permission">
> ## Permission needed by ftpd_t(i.e. read, write, etc.)
> ## </param>
> interface(`give_ftp_access',`
> gen_require(`
> type ftpd_t;
> ')
>
> allow ftpd_t $1:$2 $3;
> ')
>
I don't see where this is any easier then just using the code you wrote
above.

Other then you don't need the gen_require.

>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>> Sent: Tuesday, September 23, 2008 9:16 AM
>> To: Clarkson, Mike R (US SSA)
>> Cc: fedora-selinux-list@redhat.com
>> Subject: Re: giving ftp access to specif files and directories
>>
>> Clarkson, Mike R (US SSA) wrote:
>>> In RHEL5.1, I don't see an interface allowing the policy writer to
> give
>>> the ftp daemon access to specific file and directory types. This
> would
>>> be nice to have.
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Not sure what you are after here. Do you want to label a directory or
>> file with public_content_t will allow ftp to gain access.
>>
>> If the files are labeled something non default you could add allow
> rules
>> using audit2allow -M myftp.
>>
>> If you want to add a type specific to ftp that other daemons would not
>> have access to IE Not public_content_t, you could define a module
>>
>> type ftp_content_t;
>> files_type(ftp_content_t)
>>
>> ...
>>
>> Then allow access. And set the labeling correct
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-25-2008, 05:36 PM
"Clarkson, Mike R (US SSA)"
 
Default giving ftp access to specif files and directories

I'll grant that the difference is fairly subtle, but it gets into the
software design principles of the reference policy. Chiefly, attempting
to keep modules loosely coupled by using interfaces rather than global
use of type identifiers. With the interface approach, all uses of the
ftpd_t type are kept within the ftp module.

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: Thursday, September 25, 2008 10:15 AM
> To: Clarkson, Mike R (US SSA)
> Cc: fedora-selinux-list@redhat.com
> Subject: Re: giving ftp access to specif files and directories
>
> Clarkson, Mike R (US SSA) wrote:
> > OK, I'll get more specific.
> >
> > Let's say I've got some_program that I've created a policy module
for so
> > that it runs in the some_program_t domain. Suppose some_program uses
> > files for various purposes and the module has labeled them, such
that
> > all the files under the /local/some_dir directory are labeled
> > some_file_t. Further suppose that some_program uses ftp to transfer
one
> > or more of the files labeled some_file_t, and that the policy writer
> > does not want to label these files public_content_t. The policy
writer
> > can do something like this:
> >
> > require {type ftpd_t;}
> > allow ftpd_t some_file_t:file <necessary permissions here>;
> >
> > Rules giving ftpt_t access to other objects belong in the ftp
module,
> > but the policy writer really doesn't want to modify the ftp module
for
> > obvious reasons. This is where it would be nice to have interfaces
in
> > the ftp module that allowed policy writers to give the ftpd_t domain
> > access to files and directories of specific types. There could
either be
> > a series of interfaces giving different permissions to choose from
or it
> > could be handled by a generic interface such as this:
> >
> > ################################################
> > ## <summary>
> > ## Give the ftpd_t access to specified file type.
> > ## </summary>
> > ## <desc>
> > ## <param name="file_type">
> > ## File type to which ftpd_t needs access
> > ## </param
> > ## <param name="object type">
> > ## Type of object (i.e. file or dir)
> > ## </param>
> > ## <param name="permission">
> > ## Permission needed by ftpd_t(i.e. read, write, etc.)
> > ## </param>
> > interface(`give_ftp_access',`
> > gen_require(`
> > type ftpd_t;
> > ')
> >
> > allow ftpd_t $1:$2 $3;
> > ')
> >
> I don't see where this is any easier then just using the code you
wrote
> above.
>
> Other then you don't need the gen_require.
>
> >> -----Original Message-----
> >> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> >> Sent: Tuesday, September 23, 2008 9:16 AM
> >> To: Clarkson, Mike R (US SSA)
> >> Cc: fedora-selinux-list@redhat.com
> >> Subject: Re: giving ftp access to specif files and directories
> >>
> >> Clarkson, Mike R (US SSA) wrote:
> >>> In RHEL5.1, I don't see an interface allowing the policy writer to
> > give
> >>> the ftp daemon access to specific file and directory types. This
> > would
> >>> be nice to have.
> >>>
> >>>
> >>> --
> >>> fedora-selinux-list mailing list
> >>> fedora-selinux-list@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> Not sure what you are after here. Do you want to label a directory
or
> >> file with public_content_t will allow ftp to gain access.
> >>
> >> If the files are labeled something non default you could add allow
> > rules
> >> using audit2allow -M myftp.
> >>
> >> If you want to add a type specific to ftp that other daemons would
not
> >> have access to IE Not public_content_t, you could define a module
> >>
> >> type ftp_content_t;
> >> files_type(ftp_content_t)
> >>
> >> ...
> >>
> >> Then allow access. And set the labeling correct
> >



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-25-2008, 06:40 PM
Daniel J Walsh
 
Default giving ftp access to specif files and directories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Clarkson, Mike R (US SSA) wrote:
> I'll grant that the difference is fairly subtle, but it gets into the
> software design principles of the reference policy. Chiefly, attempting
> to keep modules loosely coupled by using interfaces rather than global
> use of type identifiers. With the interface approach, all uses of the
> ftpd_t type are kept within the ftp module.
>
Well submit it upstream and see what Chris thinks.
>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>> Sent: Thursday, September 25, 2008 10:15 AM
>> To: Clarkson, Mike R (US SSA)
>> Cc: fedora-selinux-list@redhat.com
>> Subject: Re: giving ftp access to specif files and directories
>>
>> Clarkson, Mike R (US SSA) wrote:
>>> OK, I'll get more specific.
>>>
>>> Let's say I've got some_program that I've created a policy module
> for so
>>> that it runs in the some_program_t domain. Suppose some_program uses
>>> files for various purposes and the module has labeled them, such
> that
>>> all the files under the /local/some_dir directory are labeled
>>> some_file_t. Further suppose that some_program uses ftp to transfer
> one
>>> or more of the files labeled some_file_t, and that the policy writer
>>> does not want to label these files public_content_t. The policy
> writer
>>> can do something like this:
>>>
>>> require {type ftpd_t;}
>>> allow ftpd_t some_file_t:file <necessary permissions here>;
>>>
>>> Rules giving ftpt_t access to other objects belong in the ftp
> module,
>>> but the policy writer really doesn't want to modify the ftp module
> for
>>> obvious reasons. This is where it would be nice to have interfaces
> in
>>> the ftp module that allowed policy writers to give the ftpd_t domain
>>> access to files and directories of specific types. There could
> either be
>>> a series of interfaces giving different permissions to choose from
> or it
>>> could be handled by a generic interface such as this:
>>>
>>> ################################################
>>> ## <summary>
>>> ## Give the ftpd_t access to specified file type.
>>> ## </summary>
>>> ## <desc>
>>> ## <param name="file_type">
>>> ## File type to which ftpd_t needs access
>>> ## </param
>>> ## <param name="object type">
>>> ## Type of object (i.e. file or dir)
>>> ## </param>
>>> ## <param name="permission">
>>> ## Permission needed by ftpd_t(i.e. read, write, etc.)
>>> ## </param>
>>> interface(`give_ftp_access',`
>>> gen_require(`
>>> type ftpd_t;
>>> ')
>>>
>>> allow ftpd_t $1:$2 $3;
>>> ')
>>>
>> I don't see where this is any easier then just using the code you
> wrote
>> above.
>>
>> Other then you don't need the gen_require.
>>
>>>> -----Original Message-----
>>>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>>>> Sent: Tuesday, September 23, 2008 9:16 AM
>>>> To: Clarkson, Mike R (US SSA)
>>>> Cc: fedora-selinux-list@redhat.com
>>>> Subject: Re: giving ftp access to specif files and directories
>>>>
>>>> Clarkson, Mike R (US SSA) wrote:
>>>>> In RHEL5.1, I don't see an interface allowing the policy writer to
>>> give
>>>>> the ftp daemon access to specific file and directory types. This
>>> would
>>>>> be nice to have.
>>>>>
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> Not sure what you are after here. Do you want to label a directory
> or
>>>> file with public_content_t will allow ftp to gain access.
>>>>
>>>> If the files are labeled something non default you could add allow
>>> rules
>>>> using audit2allow -M myftp.
>>>>
>>>> If you want to add a type specific to ftp that other daemons would
> not
>>>> have access to IE Not public_content_t, you could define a module
>>>>
>>>> type ftp_content_t;
>>>> files_type(ftp_content_t)
>>>>
>>>> ...
>>>>
>>>> Then allow access. And set the labeling correct
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjb2w4ACgkQrlYvE4MpobNFAwCgkJ5B5icfol q3AZiaU1eHlkzA
oDoAniz36nB7GPGuJS8PYM9GJg+QhmuV
=5Qv5
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org