From: domg472@gmail.com (Dominick Grift)
Date: Tue, 27 Apr 2010 14:58:57 +0200
Subject: [refpolicy] services_ftp.patch
In-Reply-To: <4BD6DEB6.7040100@redhat.com>
References: <4B8452B1.5090503@redhat.com> <1272309647.32279.232.camel@gorn>
	<4BD6DEB6.7040100@redhat.com>
Message-ID: <4BD6DF91.4000506@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/27/2010 02:55 PM, Daniel J Walsh wrote:
> On 04/26/2010 03:20 PM, Christopher J. PeBenito wrote:
>> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>>>
>>> Better handling of proftpd
> 
>> Why does ftpd_t need sys_admin?
> mounting file system on login?
> 
>> The change for ftp_home_dir is not acceptable.  Enabling that tunable
>> shouldn't allow access to all files.
> 
> Perhaps we need another boolean, to allow full access.  If some wants to
> allow an ftp server to provide access to all files on the machine.

Looks like that is already in place:

tunable_policy(`sftpd_full_access',`
	allow sftpd_t self:capability { dac_override dac_read_search };
	fs_read_noxattr_fs_files(sftpd_t)
	auth_manage_all_files_except_shadow(sftpd_t)
')

>> Why does ftp need to connect to a db?
> 
> You can use a mysql database as a back end for ftp.
>>> Added handling of sftpd from sshd
> 
>> Otherwise merged.
> 
> 
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100427/f8dd513d/attachment.bin