* [refpolicy] services_ftp.patch
@ 2008-09-24 20:34 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2008-09-24 20:34 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_ftp.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
Creates directories in /var/run
searches network state
sends audit messages/sets loginuid
uses kerberos keytab files
can use oddjob to create homedirs uses dbus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjapD0ACgkQrlYvE4MpobMPSwCcDGL5nVWOV3hrUFcKkdjOprL/
IdEAn0bGj7XJ12Bs5hK8zp2UBjGNQRfe
=ZG0G
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
@ 2009-03-05 16:40 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2009-03-05 16:40 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_ftp.patch
Fix comments
people us ftp with a mysql backend
lists inotify
need to allow transitions when in permissive mode
Uses kerberos keytab files
Can use oddjob to create home directories.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmwAGMACgkQrlYvE4MpobPIIQCfWTIF5lvaARsot0HZgcjR+D9P
Gv4AoLplzL6NllS3sgXo7eUA7m7INH3q
=Gusv
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
@ 2009-11-12 21:32 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:32 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_ftp.patch
ftp can use a mysqldb
Transition on mls/mcs
creates shm and keys
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
@ 2010-02-23 22:12 Daniel J Walsh
2010-04-26 19:20 ` Christopher J. PeBenito
0 siblings, 1 reply; 11+ messages in thread
From: Daniel J Walsh @ 2010-02-23 22:12 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
Better handling of proftpd
Added handling of sftpd from sshd
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
2010-02-23 22:12 Daniel J Walsh
@ 2010-04-26 19:20 ` Christopher J. PeBenito
2010-04-26 19:36 ` Chris Richards
2010-04-27 12:55 ` Daniel J Walsh
0 siblings, 2 replies; 11+ messages in thread
From: Christopher J. PeBenito @ 2010-04-26 19:20 UTC (permalink / raw)
To: refpolicy
On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>
> Better handling of proftpd
Why does ftpd_t need sys_admin?
The change for ftp_home_dir is not acceptable. Enabling that tunable
shouldn't allow access to all files.
Why does ftp need to connect to a db?
> Added handling of sftpd from sshd
Otherwise merged.
--
Chris PeBenito
Tresys Technology, LLC
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
2010-04-26 19:20 ` Christopher J. PeBenito
@ 2010-04-26 19:36 ` Chris Richards
2010-04-26 20:02 ` Paul Howarth
2010-04-27 12:55 ` Daniel J Walsh
1 sibling, 1 reply; 11+ messages in thread
From: Chris Richards @ 2010-04-26 19:36 UTC (permalink / raw)
To: refpolicy
I don't know in relation to this policy, but I know ProFTPD can use a
mysql db for authentication.
Later,
Chris
On 04/26/2010 02:20 PM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>>
>> Better handling of proftpd
>>
> Why does ftpd_t need sys_admin?
>
> The change for ftp_home_dir is not acceptable. Enabling that tunable
> shouldn't allow access to all files.
>
> Why does ftp need to connect to a db?
>
>
>> Added handling of sftpd from sshd
>>
> Otherwise merged.
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
2010-04-26 19:36 ` Chris Richards
@ 2010-04-26 20:02 ` Paul Howarth
2010-04-26 21:13 ` Chris Richards
0 siblings, 1 reply; 11+ messages in thread
From: Paul Howarth @ 2010-04-26 20:02 UTC (permalink / raw)
To: refpolicy
On Mon, 26 Apr 2010 14:36:26 -0500
Chris Richards <gizmo@giz-works.com> wrote:
> I don't know in relation to this policy, but I know ProFTPD can use a
> mysql db for authentication.
>
> Later,
> Chris
>
> On 04/26/2010 02:20 PM, Christopher J. PeBenito wrote:
> > On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
> >
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
> >>
> >> Better handling of proftpd
> >>
> > Why does ftpd_t need sys_admin?
> >
> > The change for ftp_home_dir is not acceptable. Enabling that
> > tunable shouldn't allow access to all files.
> >
> > Why does ftp need to connect to a db?
Not just ProFTPd. See discussion here:
http://lists.fedoraproject.org/pipermail/selinux/2009-February/010463.html
Paul.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
2010-04-26 20:02 ` Paul Howarth
@ 2010-04-26 21:13 ` Chris Richards
0 siblings, 0 replies; 11+ messages in thread
From: Chris Richards @ 2010-04-26 21:13 UTC (permalink / raw)
To: refpolicy
On 04/26/2010 03:02 PM, Paul Howarth wrote:
> Not just ProFTPd. See discussion here:
>
> http://lists.fedoraproject.org/pipermail/selinux/2009-February/010463.html
>
> Paul.
>
This probably isn't a discussion to have here, but I've really got toask: wouldn't we be better served using PAM with the mysql plugin forthis kind of stuff?
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
2010-04-26 19:20 ` Christopher J. PeBenito
2010-04-26 19:36 ` Chris Richards
@ 2010-04-27 12:55 ` Daniel J Walsh
2010-04-27 12:58 ` Dominick Grift
1 sibling, 1 reply; 11+ messages in thread
From: Daniel J Walsh @ 2010-04-27 12:55 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/26/2010 03:20 PM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>>
>> Better handling of proftpd
>
> Why does ftpd_t need sys_admin?
mounting file system on login?
>
> The change for ftp_home_dir is not acceptable. Enabling that tunable
> shouldn't allow access to all files.
>
Perhaps we need another boolean, to allow full access. If some wants to
allow an ftp server to provide access to all files on the machine.
> Why does ftp need to connect to a db?
>
You can use a mysql database as a back end for ftp.
>> Added handling of sftpd from sshd
>
> Otherwise merged.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvW3rYACgkQrlYvE4MpobNmXACg6tElqZUPBgxM7sRM52ApIjpv
pvsAn3NodMz+sw+ysgmqU67O3B0MI/ZT
=RXkF
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
2010-04-27 12:55 ` Daniel J Walsh
@ 2010-04-27 12:58 ` Dominick Grift
0 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2010-04-27 12:58 UTC (permalink / raw)
To: refpolicy
On 04/27/2010 02:55 PM, Daniel J Walsh wrote:
> On 04/26/2010 03:20 PM, Christopher J. PeBenito wrote:
>> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>>>
>>> Better handling of proftpd
>
>> Why does ftpd_t need sys_admin?
> mounting file system on login?
>
>> The change for ftp_home_dir is not acceptable. Enabling that tunable
>> shouldn't allow access to all files.
>
> Perhaps we need another boolean, to allow full access. If some wants to
> allow an ftp server to provide access to all files on the machine.
Looks like that is already in place:
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
auth_manage_all_files_except_shadow(sftpd_t)
')
>> Why does ftp need to connect to a db?
>
> You can use a mysql database as a back end for ftp.
>>> Added handling of sftpd from sshd
>
>> Otherwise merged.
>
>
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100427/f8dd513d/attachment.bin
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] services_ftp.patch
@ 2010-08-26 21:18 Daniel J Walsh
0 siblings, 0 replies; 11+ messages in thread
From: Daniel J Walsh @ 2010-08-26 21:18 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_ftp.patch
ftp uses databases
lots of other fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx22hcACgkQrlYvE4MpobPHTwCeKpbOaKHTAMD7a4qbA+OM98/s
x4UAmQGC7vzokQe8vxu5tsqJprR7G3YH
=ZyS2
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2010-08-26 21:18 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-24 20:34 [refpolicy] services_ftp.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2009-03-05 16:40 Daniel J Walsh
2009-11-12 21:32 Daniel J Walsh
2010-02-23 22:12 Daniel J Walsh
2010-04-26 19:20 ` Christopher J. PeBenito
2010-04-26 19:36 ` Chris Richards
2010-04-26 20:02 ` Paul Howarth
2010-04-26 21:13 ` Chris Richards
2010-04-27 12:55 ` Daniel J Walsh
2010-04-27 12:58 ` Dominick Grift
2010-08-26 21:18 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.