From: domg472@gmail.com (Dominick Grift) Date: Tue, 27 Apr 2010 14:58:57 +0200 Subject: [refpolicy] services_ftp.patch In-Reply-To: <4BD6DEB6.7040100@redhat.com> References: <4B8452B1.5090503@redhat.com> <1272309647.32279.232.camel@gorn> <4BD6DEB6.7040100@redhat.com> Message-ID: <4BD6DF91.4000506@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/27/2010 02:55 PM, Daniel J Walsh wrote: > On 04/26/2010 03:20 PM, Christopher J. PeBenito wrote: >> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote: >>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch >>> >>> Better handling of proftpd > >> Why does ftpd_t need sys_admin? > mounting file system on login? > >> The change for ftp_home_dir is not acceptable. Enabling that tunable >> shouldn't allow access to all files. > > Perhaps we need another boolean, to allow full access. If some wants to > allow an ftp server to provide access to all files on the machine. Looks like that is already in place: tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) auth_manage_all_files_except_shadow(sftpd_t) ') >> Why does ftp need to connect to a db? > > You can use a mysql database as a back end for ftp. >>> Added handling of sftpd from sshd > >> Otherwise merged. > > _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100427/f8dd513d/attachment.bin