On Mon, 2009-09-21 at 00:24 +0200, Elia Pinto wrote:
> A trivial question. There is some reason why the SELinux ref policy
> provides only for ftp access to users' home or to a type accessible to
> other demons confined? Why it is not possible to define a ftp_data_t
> also ? The motivation is simple : whay i have to provide ftp access
> AND also permit other daemon to access ? IMHO, it is not the best as
> Least privilege.
This question is best for the refpolicy list. But the current policy
allows reading of the generic public files and conditionally (via
allow_ftpd_anon_write) it can write them. There is nothing preventing
someone from adding something like ftp_ro_data_t and ftp_rw_data_t (or
just ftp_data_t if separate ro and rw data is not needed) for files that
are exclusively shared via ftp.
If you'd like to submit a patch to add the rules, please send it to the
refpolicy list. I don't have a problem with adding this support.
--
Chris PeBenito
<[email protected]>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243