]>
Commit | Line | Data |
---|---|---|
fc6524d7 | 1 | |
12e9ea1a | 2 | policy_module(ftp,1.6.1) |
fc6524d7 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow ftp servers to modify public files | |
12 | ## used for public file transfer services. | |
13 | ## </p> | |
14 | ## </desc> | |
15 | gen_tunable(allow_ftpd_anon_write,false) | |
16 | ||
17 | ## <desc> | |
18 | ## <p> | |
19 | ## Allow ftp servers to login to local users and | |
20 | ## read/write all files on the system, governed by DAC. | |
21 | ## </p> | |
22 | ## </desc> | |
23 | gen_tunable(allow_ftpd_full_access,false) | |
24 | ||
25 | ## <desc> | |
26 | ## <p> | |
27 | ## Allow ftp servers to use cifs | |
28 | ## used for public file transfer services. | |
29 | ## </p> | |
30 | ## </desc> | |
31 | gen_tunable(allow_ftpd_use_cifs,false) | |
32 | ||
33 | ## <desc> | |
34 | ## <p> | |
35 | ## Allow ftp servers to use nfs | |
36 | ## used for public file transfer services. | |
37 | ## </p> | |
38 | ## </desc> | |
39 | gen_tunable(allow_ftpd_use_nfs,false) | |
40 | ||
41 | ## <desc> | |
42 | ## <p> | |
43 | ## Allow ftp to read and write files in the user home directories | |
44 | ## </p> | |
45 | ## </desc> | |
46 | gen_tunable(ftp_home_dir,false) | |
47 | ||
fc6524d7 CP |
48 | type ftpd_t; |
49 | type ftpd_exec_t; | |
50 | init_daemon_domain(ftpd_t,ftpd_exec_t) | |
51 | ||
52 | type ftpd_etc_t; | |
9bbc757a | 53 | files_config_file(ftpd_etc_t) |
fc6524d7 | 54 | |
fc6524d7 CP |
55 | type ftpd_lock_t; |
56 | files_lock_file(ftpd_lock_t) | |
57 | ||
58 | type ftpd_tmp_t; | |
59 | files_tmp_file(ftpd_tmp_t) | |
60 | ||
61 | type ftpd_tmpfs_t; | |
62 | files_tmpfs_file(ftpd_tmpfs_t) | |
63 | ||
64 | type ftpd_var_run_t; | |
65 | files_pid_file(ftpd_var_run_t) | |
66 | ||
75fbbb0b CP |
67 | type ftpdctl_t; |
68 | type ftpdctl_exec_t; | |
69 | init_system_domain(ftpdctl_t,ftpdctl_exec_t) | |
70 | ||
71 | type ftpdctl_tmp_t; | |
72 | files_tmp_file(ftpdctl_tmp_t) | |
73 | ||
fc6524d7 CP |
74 | type xferlog_t; |
75 | logging_log_file(xferlog_t) | |
76 | ||
77 | ######################################## | |
78 | # | |
75fbbb0b | 79 | # ftpd local policy |
fc6524d7 CP |
80 | # |
81 | ||
82 | allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; | |
83 | dontaudit ftpd_t self:capability sys_tty_config; | |
84 | allow ftpd_t self:process signal_perms; | |
85 | allow ftpd_t self:process { getcap setcap setsched setrlimit }; | |
c0868a7a | 86 | allow ftpd_t self:fifo_file rw_fifo_file_perms; |
fc6524d7 | 87 | allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; |
75fbbb0b | 88 | allow ftpd_t self:unix_stream_socket create_stream_socket_perms; |
fc6524d7 CP |
89 | allow ftpd_t self:tcp_socket create_stream_socket_perms; |
90 | allow ftpd_t self:udp_socket create_socket_perms; | |
91 | ||
c0868a7a | 92 | allow ftpd_t ftpd_etc_t:file read_file_perms; |
fc6524d7 | 93 | |
56e1b3d2 CP |
94 | allow ftpd_t ftpd_lock_t:file manage_file_perms; |
95 | files_lock_filetrans(ftpd_t,ftpd_lock_t,file) | |
96 | ||
c0868a7a CP |
97 | manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) |
98 | manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) | |
103fe280 | 99 | files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) |
fc6524d7 | 100 | |
c0868a7a CP |
101 | manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) |
102 | manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
103 | manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
104 | manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
105 | manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
103fe280 | 106 | fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
fc6524d7 | 107 | |
c0868a7a CP |
108 | manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) |
109 | manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) | |
1c1ac67f | 110 | files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) |
e6a2eaff | 111 | |
75fbbb0b CP |
112 | # proftpd requires the client side to bind a socket so that |
113 | # it can stat the socket to perform access control decisions, | |
114 | # since getsockopt with SO_PEERCRED is not available on all | |
115 | # proftpd-supported OSs | |
116 | allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; | |
117 | ||
fc6524d7 | 118 | # Create and modify /var/log/xferlog. |
8cfa5a00 | 119 | allow ftpd_t xferlog_t:dir search_dir_perms; |
c0868a7a | 120 | allow ftpd_t xferlog_t:file manage_file_perms; |
1c1ac67f | 121 | logging_log_filetrans(ftpd_t,xferlog_t,file) |
fc6524d7 | 122 | |
445522dc | 123 | kernel_read_kernel_sysctls(ftpd_t) |
fc6524d7 CP |
124 | kernel_read_system_state(ftpd_t) |
125 | ||
126 | dev_read_sysfs(ftpd_t) | |
127 | dev_read_urand(ftpd_t) | |
128 | ||
049e11af | 129 | corecmd_exec_bin(ftpd_t) |
fc6524d7 | 130 | |
19006686 CP |
131 | corenet_all_recvfrom_unlabeled(ftpd_t) |
132 | corenet_all_recvfrom_netlabel(ftpd_t) | |
fc6524d7 CP |
133 | corenet_tcp_sendrecv_all_if(ftpd_t) |
134 | corenet_udp_sendrecv_all_if(ftpd_t) | |
fc6524d7 CP |
135 | corenet_tcp_sendrecv_all_nodes(ftpd_t) |
136 | corenet_udp_sendrecv_all_nodes(ftpd_t) | |
fc6524d7 CP |
137 | corenet_tcp_sendrecv_all_ports(ftpd_t) |
138 | corenet_udp_sendrecv_all_ports(ftpd_t) | |
139 | corenet_tcp_bind_all_nodes(ftpd_t) | |
9a879bd7 | 140 | corenet_tcp_bind_ftp_port(ftpd_t) |
fc6524d7 CP |
141 | corenet_tcp_bind_ftp_data_port(ftpd_t) |
142 | corenet_tcp_bind_generic_port(ftpd_t) | |
6b19be33 CP |
143 | corenet_tcp_bind_all_unreserved_ports(ftpd_t) |
144 | corenet_dontaudit_tcp_bind_all_ports(ftpd_t) | |
fc6524d7 | 145 | corenet_tcp_connect_all_ports(ftpd_t) |
9a879bd7 | 146 | corenet_sendrecv_ftp_server_packets(ftpd_t) |
fc6524d7 | 147 | |
15722ec9 | 148 | domain_use_interactive_fds(ftpd_t) |
049e11af CP |
149 | |
150 | files_search_etc(ftpd_t) | |
151 | files_read_etc_files(ftpd_t) | |
152 | files_read_etc_runtime_files(ftpd_t) | |
9e04f5c5 | 153 | files_search_var_lib(ftpd_t) |
049e11af CP |
154 | |
155 | fs_search_auto_mountpoints(ftpd_t) | |
156 | fs_getattr_all_fs(ftpd_t) | |
157 | ||
049e11af | 158 | auth_use_nsswitch(ftpd_t) |
e6a2eaff | 159 | auth_domtrans_chk_passwd(ftpd_t) |
fc6524d7 CP |
160 | # Append to /var/log/wtmp. |
161 | auth_append_login_records(ftpd_t) | |
162 | #kerberized ftp requires the following | |
163 | auth_write_login_records(ftpd_t) | |
09c56f54 | 164 | auth_rw_faillog(ftpd_t) |
fc6524d7 | 165 | |
d6d16b97 | 166 | init_rw_utmp(ftpd_t) |
fc6524d7 CP |
167 | |
168 | libs_use_ld_so(ftpd_t) | |
169 | libs_use_shared_libs(ftpd_t) | |
170 | ||
171 | logging_send_syslog_msg(ftpd_t) | |
172 | ||
173 | miscfiles_read_localization(ftpd_t) | |
174 | miscfiles_read_public_files(ftpd_t) | |
175 | ||
176 | seutil_dontaudit_search_config(ftpd_t) | |
177 | ||
178 | sysnet_read_config(ftpd_t) | |
85a0f967 | 179 | sysnet_use_ldap(ftpd_t) |
fc6524d7 | 180 | |
103fe280 | 181 | userdom_dontaudit_search_sysadm_home_dirs(ftpd_t) |
15722ec9 | 182 | userdom_dontaudit_use_unpriv_user_fds(ftpd_t) |
fc6524d7 | 183 | |
fc6524d7 CP |
184 | tunable_policy(`allow_ftpd_anon_write',` |
185 | miscfiles_manage_public_files(ftpd_t) | |
522b59bb CP |
186 | ') |
187 | ||
188 | tunable_policy(`allow_ftpd_use_cifs',` | |
189 | fs_read_cifs_files(ftpd_t) | |
190 | fs_read_cifs_symlinks(ftpd_t) | |
191 | ') | |
192 | ||
193 | tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` | |
194 | fs_manage_cifs_files(ftpd_t) | |
195 | ') | |
196 | ||
197 | tunable_policy(`allow_ftpd_use_nfs',` | |
198 | fs_read_nfs_files(ftpd_t) | |
199 | fs_read_nfs_symlinks(ftpd_t) | |
200 | ') | |
201 | ||
202 | tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` | |
203 | fs_manage_nfs_files(ftpd_t) | |
204 | ') | |
fc6524d7 | 205 | |
6b19be33 CP |
206 | tunable_policy(`allow_ftpd_full_access',` |
207 | allow ftpd_t self:capability { dac_override dac_read_search }; | |
208 | auth_manage_all_files_except_shadow(ftpd_t) | |
209 | ') | |
210 | ||
fc6524d7 | 211 | tunable_policy(`ftp_home_dir',` |
165b42d2 CP |
212 | allow ftpd_t self:capability { dac_override dac_read_search }; |
213 | ||
fc6524d7 | 214 | # allow access to /home |
d8636fc9 | 215 | files_list_home(ftpd_t) |
103fe280 CP |
216 | userdom_read_all_users_home_content_files(ftpd_t) |
217 | userdom_manage_all_users_home_content_dirs(ftpd_t) | |
218 | userdom_manage_all_users_home_content_files(ftpd_t) | |
219 | userdom_manage_all_users_home_content_symlinks(ftpd_t) | |
fc6524d7 CP |
220 | ') |
221 | ||
522b59bb CP |
222 | tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` |
223 | fs_manage_nfs_files(ftpd_t) | |
224 | fs_read_nfs_symlinks(ftpd_t) | |
225 | ') | |
226 | ||
227 | tunable_policy(`ftp_home_dir && use_samba_home_dirs',` | |
228 | fs_manage_cifs_files(ftpd_t) | |
229 | fs_read_cifs_symlinks(ftpd_t) | |
230 | ') | |
231 | ||
46551033 CP |
232 | optional_policy(` |
233 | tunable_policy(`ftp_home_dir',` | |
234 | apache_search_sys_content(ftpd_t) | |
235 | ') | |
236 | ') | |
237 | ||
bb7170f6 | 238 | optional_policy(` |
fc6524d7 CP |
239 | corecmd_exec_shell(ftpd_t) |
240 | ||
77f6e2cd | 241 | files_read_usr_files(ftpd_t) |
fc6524d7 CP |
242 | |
243 | cron_system_entry(ftpd_t, ftpd_exec_t) | |
244 | ||
bb7170f6 | 245 | optional_policy(` |
fc6524d7 CP |
246 | logrotate_exec(ftpd_t) |
247 | ') | |
248 | ') | |
249 | ||
bb7170f6 | 250 | optional_policy(` |
44d5d93f CP |
251 | daemontools_service_domain(ftpd_t, ftpd_exec_t) |
252 | ') | |
253 | ||
09c56f54 CP |
254 | optional_policy(` |
255 | kerberos_read_keytab(ftpd_t) | |
256 | ') | |
257 | ||
bb7170f6 | 258 | optional_policy(` |
73ef293b CP |
259 | inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) |
260 | ||
bb7170f6 | 261 | optional_policy(` |
56e1b3d2 | 262 | tcpd_domtrans(tcpd_t) |
77f6e2cd | 263 | ') |
fc6524d7 CP |
264 | ') |
265 | ||
bb7170f6 | 266 | optional_policy(` |
fc6524d7 CP |
267 | seutil_sigchld_newrole(ftpd_t) |
268 | ') | |
269 | ||
bb7170f6 | 270 | optional_policy(` |
fc6524d7 CP |
271 | udev_read_db(ftpd_t) |
272 | ') | |
75fbbb0b CP |
273 | |
274 | ######################################## | |
275 | # | |
276 | # ftpdctl local policy | |
277 | # | |
278 | ||
279 | # Allow ftpdctl to talk to ftpd over a socket connection | |
c0868a7a | 280 | stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t) |
75fbbb0b CP |
281 | |
282 | # ftpdctl creates a socket so that the daemon can perform | |
283 | # access control decisions (see comments in ftpd_t rules above) | |
284 | allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; | |
285 | files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) | |
286 | ||
287 | # Allow ftpdctl to read config files | |
288 | files_read_etc_files(ftpdctl_t) | |
289 | ||
290 | libs_use_ld_so(ftpdctl_t) | |
291 | libs_use_shared_libs(ftpdctl_t) |