]>
Commit | Line | Data |
---|---|---|
fc6524d7 | 1 | |
29af4c13 | 2 | policy_module(ftp, 1.12.0) |
fc6524d7 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
dd9e1de3 CP |
11 | ## Allow ftp servers to upload files, used for public file |
12 | ## transfer services. Directories must be labeled | |
13 | ## public_content_rw_t. | |
56e1b3d2 CP |
14 | ## </p> |
15 | ## </desc> | |
0bfccda4 | 16 | gen_tunable(allow_ftpd_anon_write, false) |
56e1b3d2 CP |
17 | |
18 | ## <desc> | |
19 | ## <p> | |
a53c6c65 | 20 | ## Allow ftp servers to login to local users and |
56e1b3d2 CP |
21 | ## read/write all files on the system, governed by DAC. |
22 | ## </p> | |
23 | ## </desc> | |
0bfccda4 | 24 | gen_tunable(allow_ftpd_full_access, false) |
56e1b3d2 CP |
25 | |
26 | ## <desc> | |
27 | ## <p> | |
28 | ## Allow ftp servers to use cifs | |
29 | ## used for public file transfer services. | |
30 | ## </p> | |
31 | ## </desc> | |
0bfccda4 | 32 | gen_tunable(allow_ftpd_use_cifs, false) |
56e1b3d2 CP |
33 | |
34 | ## <desc> | |
35 | ## <p> | |
36 | ## Allow ftp servers to use nfs | |
37 | ## used for public file transfer services. | |
38 | ## </p> | |
39 | ## </desc> | |
0bfccda4 | 40 | gen_tunable(allow_ftpd_use_nfs, false) |
56e1b3d2 CP |
41 | |
42 | ## <desc> | |
43 | ## <p> | |
44 | ## Allow ftp to read and write files in the user home directories | |
45 | ## </p> | |
46 | ## </desc> | |
0bfccda4 | 47 | gen_tunable(ftp_home_dir, false) |
56e1b3d2 | 48 | |
a53c6c65 CP |
49 | ## <desc> |
50 | ## <p> | |
51 | ## Allow anon internal-sftp to upload files, used for | |
52 | ## public file transfer services. Directories must be labeled | |
53 | ## public_content_rw_t. | |
54 | ## </p> | |
55 | ## </desc> | |
56 | gen_tunable(sftpd_anon_write, false) | |
57 | ||
58 | ## <desc> | |
59 | ## <p> | |
60 | ## Allow sftp-internal to read and write files | |
61 | ## in the user home directories | |
62 | ## </p> | |
63 | ## </desc> | |
64 | gen_tunable(sftpd_enable_homedirs, false) | |
65 | ||
66 | ## <desc> | |
67 | ## <p> | |
68 | ## Allow sftp-internal to login to local users and | |
69 | ## read/write all files on the system, governed by DAC. | |
70 | ## </p> | |
71 | ## </desc> | |
72 | gen_tunable(sftpd_full_access, false) | |
73 | ||
74 | type anon_sftpd_t; | |
75 | typealias anon_sftpd_t alias sftpd_anon_t; | |
76 | domain_type(anon_sftpd_t) | |
77 | role system_r types anon_sftpd_t; | |
78 | ||
fc6524d7 CP |
79 | type ftpd_t; |
80 | type ftpd_exec_t; | |
0bfccda4 | 81 | init_daemon_domain(ftpd_t, ftpd_exec_t) |
fc6524d7 CP |
82 | |
83 | type ftpd_etc_t; | |
9bbc757a | 84 | files_config_file(ftpd_etc_t) |
fc6524d7 | 85 | |
967fd1ba CP |
86 | type ftpd_initrc_exec_t; |
87 | init_script_file(ftpd_initrc_exec_t) | |
88 | ||
fc6524d7 CP |
89 | type ftpd_lock_t; |
90 | files_lock_file(ftpd_lock_t) | |
91 | ||
92 | type ftpd_tmp_t; | |
93 | files_tmp_file(ftpd_tmp_t) | |
94 | ||
95 | type ftpd_tmpfs_t; | |
96 | files_tmpfs_file(ftpd_tmpfs_t) | |
97 | ||
98 | type ftpd_var_run_t; | |
99 | files_pid_file(ftpd_var_run_t) | |
100 | ||
75fbbb0b CP |
101 | type ftpdctl_t; |
102 | type ftpdctl_exec_t; | |
0bfccda4 | 103 | init_system_domain(ftpdctl_t, ftpdctl_exec_t) |
75fbbb0b CP |
104 | |
105 | type ftpdctl_tmp_t; | |
106 | files_tmp_file(ftpdctl_tmp_t) | |
107 | ||
a53c6c65 CP |
108 | type sftpd_t; |
109 | domain_type(sftpd_t) | |
110 | role system_r types sftpd_t; | |
111 | ||
fc6524d7 CP |
112 | type xferlog_t; |
113 | logging_log_file(xferlog_t) | |
114 | ||
a53c6c65 CP |
115 | ifdef(`enable_mcs',` |
116 | init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) | |
117 | ') | |
118 | ||
119 | ######################################## | |
120 | # | |
121 | # anon-sftp local policy | |
122 | # | |
123 | ||
124 | files_read_etc_files(anon_sftpd_t) | |
125 | ||
126 | miscfiles_read_public_files(anon_sftpd_t) | |
127 | ||
128 | tunable_policy(`sftpd_anon_write',` | |
129 | miscfiles_manage_public_files(anon_sftpd_t) | |
130 | ') | |
131 | ||
fc6524d7 CP |
132 | ######################################## |
133 | # | |
75fbbb0b | 134 | # ftpd local policy |
fc6524d7 CP |
135 | # |
136 | ||
137 | allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; | |
138 | dontaudit ftpd_t self:capability sys_tty_config; | |
a53c6c65 | 139 | allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; |
c0868a7a | 140 | allow ftpd_t self:fifo_file rw_fifo_file_perms; |
fc6524d7 | 141 | allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; |
75fbbb0b | 142 | allow ftpd_t self:unix_stream_socket create_stream_socket_perms; |
fc6524d7 CP |
143 | allow ftpd_t self:tcp_socket create_stream_socket_perms; |
144 | allow ftpd_t self:udp_socket create_socket_perms; | |
a53c6c65 CP |
145 | allow ftpd_t self:shm create_shm_perms; |
146 | allow ftpd_t self:key manage_key_perms; | |
fc6524d7 | 147 | |
c0868a7a | 148 | allow ftpd_t ftpd_etc_t:file read_file_perms; |
fc6524d7 | 149 | |
56e1b3d2 | 150 | allow ftpd_t ftpd_lock_t:file manage_file_perms; |
0bfccda4 | 151 | files_lock_filetrans(ftpd_t, ftpd_lock_t, file) |
56e1b3d2 | 152 | |
0bfccda4 CP |
153 | manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) |
154 | manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) | |
103fe280 | 155 | files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) |
fc6524d7 | 156 | |
0bfccda4 CP |
157 | manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) |
158 | manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
159 | manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
160 | manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
161 | manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
162 | fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
fc6524d7 | 163 | |
967fd1ba | 164 | manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) |
0bfccda4 CP |
165 | manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) |
166 | manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) | |
967fd1ba | 167 | files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) |
e6a2eaff | 168 | |
75fbbb0b CP |
169 | # proftpd requires the client side to bind a socket so that |
170 | # it can stat the socket to perform access control decisions, | |
171 | # since getsockopt with SO_PEERCRED is not available on all | |
172 | # proftpd-supported OSs | |
173 | allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; | |
174 | ||
fc6524d7 | 175 | # Create and modify /var/log/xferlog. |
a53c6c65 | 176 | manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) |
0bfccda4 | 177 | logging_log_filetrans(ftpd_t, xferlog_t, file) |
fc6524d7 | 178 | |
445522dc | 179 | kernel_read_kernel_sysctls(ftpd_t) |
fc6524d7 | 180 | kernel_read_system_state(ftpd_t) |
967fd1ba | 181 | kernel_search_network_state(ftpd_t) |
fc6524d7 CP |
182 | |
183 | dev_read_sysfs(ftpd_t) | |
184 | dev_read_urand(ftpd_t) | |
185 | ||
049e11af | 186 | corecmd_exec_bin(ftpd_t) |
fc6524d7 | 187 | |
19006686 CP |
188 | corenet_all_recvfrom_unlabeled(ftpd_t) |
189 | corenet_all_recvfrom_netlabel(ftpd_t) | |
668b3093 CP |
190 | corenet_tcp_sendrecv_generic_if(ftpd_t) |
191 | corenet_udp_sendrecv_generic_if(ftpd_t) | |
c1262146 CP |
192 | corenet_tcp_sendrecv_generic_node(ftpd_t) |
193 | corenet_udp_sendrecv_generic_node(ftpd_t) | |
fc6524d7 CP |
194 | corenet_tcp_sendrecv_all_ports(ftpd_t) |
195 | corenet_udp_sendrecv_all_ports(ftpd_t) | |
c1262146 | 196 | corenet_tcp_bind_generic_node(ftpd_t) |
9a879bd7 | 197 | corenet_tcp_bind_ftp_port(ftpd_t) |
fc6524d7 CP |
198 | corenet_tcp_bind_ftp_data_port(ftpd_t) |
199 | corenet_tcp_bind_generic_port(ftpd_t) | |
6b19be33 CP |
200 | corenet_tcp_bind_all_unreserved_ports(ftpd_t) |
201 | corenet_dontaudit_tcp_bind_all_ports(ftpd_t) | |
fc6524d7 | 202 | corenet_tcp_connect_all_ports(ftpd_t) |
9a879bd7 | 203 | corenet_sendrecv_ftp_server_packets(ftpd_t) |
fc6524d7 | 204 | |
15722ec9 | 205 | domain_use_interactive_fds(ftpd_t) |
049e11af CP |
206 | |
207 | files_search_etc(ftpd_t) | |
208 | files_read_etc_files(ftpd_t) | |
209 | files_read_etc_runtime_files(ftpd_t) | |
9e04f5c5 | 210 | files_search_var_lib(ftpd_t) |
049e11af CP |
211 | |
212 | fs_search_auto_mountpoints(ftpd_t) | |
213 | fs_getattr_all_fs(ftpd_t) | |
a53c6c65 | 214 | fs_search_fusefs(ftpd_t) |
049e11af | 215 | |
049e11af | 216 | auth_use_nsswitch(ftpd_t) |
e6a2eaff | 217 | auth_domtrans_chk_passwd(ftpd_t) |
fc6524d7 CP |
218 | # Append to /var/log/wtmp. |
219 | auth_append_login_records(ftpd_t) | |
220 | #kerberized ftp requires the following | |
221 | auth_write_login_records(ftpd_t) | |
09c56f54 | 222 | auth_rw_faillog(ftpd_t) |
fc6524d7 | 223 | |
d6d16b97 | 224 | init_rw_utmp(ftpd_t) |
fc6524d7 | 225 | |
967fd1ba | 226 | logging_send_audit_msgs(ftpd_t) |
fc6524d7 | 227 | logging_send_syslog_msg(ftpd_t) |
967fd1ba | 228 | logging_set_loginuid(ftpd_t) |
fc6524d7 CP |
229 | |
230 | miscfiles_read_localization(ftpd_t) | |
231 | miscfiles_read_public_files(ftpd_t) | |
232 | ||
233 | seutil_dontaudit_search_config(ftpd_t) | |
234 | ||
235 | sysnet_read_config(ftpd_t) | |
85a0f967 | 236 | sysnet_use_ldap(ftpd_t) |
fc6524d7 | 237 | |
15722ec9 | 238 | userdom_dontaudit_use_unpriv_user_fds(ftpd_t) |
296273a7 | 239 | userdom_dontaudit_search_user_home_dirs(ftpd_t) |
e9c6cda7 | 240 | |
fc6524d7 CP |
241 | tunable_policy(`allow_ftpd_anon_write',` |
242 | miscfiles_manage_public_files(ftpd_t) | |
522b59bb CP |
243 | ') |
244 | ||
245 | tunable_policy(`allow_ftpd_use_cifs',` | |
246 | fs_read_cifs_files(ftpd_t) | |
247 | fs_read_cifs_symlinks(ftpd_t) | |
248 | ') | |
249 | ||
250 | tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` | |
251 | fs_manage_cifs_files(ftpd_t) | |
252 | ') | |
253 | ||
254 | tunable_policy(`allow_ftpd_use_nfs',` | |
255 | fs_read_nfs_files(ftpd_t) | |
256 | fs_read_nfs_symlinks(ftpd_t) | |
257 | ') | |
258 | ||
259 | tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` | |
260 | fs_manage_nfs_files(ftpd_t) | |
261 | ') | |
fc6524d7 | 262 | |
6b19be33 CP |
263 | tunable_policy(`allow_ftpd_full_access',` |
264 | allow ftpd_t self:capability { dac_override dac_read_search }; | |
265 | auth_manage_all_files_except_shadow(ftpd_t) | |
266 | ') | |
267 | ||
fc6524d7 | 268 | tunable_policy(`ftp_home_dir',` |
165b42d2 CP |
269 | allow ftpd_t self:capability { dac_override dac_read_search }; |
270 | ||
fc6524d7 | 271 | # allow access to /home |
d8636fc9 | 272 | files_list_home(ftpd_t) |
296273a7 CP |
273 | userdom_read_user_home_content_files(ftpd_t) |
274 | userdom_manage_user_home_content_dirs(ftpd_t) | |
275 | userdom_manage_user_home_content_files(ftpd_t) | |
276 | userdom_manage_user_home_content_symlinks(ftpd_t) | |
277 | userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) | |
fc6524d7 CP |
278 | ') |
279 | ||
522b59bb CP |
280 | tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` |
281 | fs_manage_nfs_files(ftpd_t) | |
282 | fs_read_nfs_symlinks(ftpd_t) | |
283 | ') | |
284 | ||
285 | tunable_policy(`ftp_home_dir && use_samba_home_dirs',` | |
286 | fs_manage_cifs_files(ftpd_t) | |
287 | fs_read_cifs_symlinks(ftpd_t) | |
288 | ') | |
289 | ||
46551033 CP |
290 | optional_policy(` |
291 | tunable_policy(`ftp_home_dir',` | |
292 | apache_search_sys_content(ftpd_t) | |
293 | ') | |
294 | ') | |
295 | ||
bb7170f6 | 296 | optional_policy(` |
fc6524d7 CP |
297 | corecmd_exec_shell(ftpd_t) |
298 | ||
77f6e2cd | 299 | files_read_usr_files(ftpd_t) |
fc6524d7 | 300 | |
3f67f722 | 301 | cron_system_entry(ftpd_t, ftpd_exec_t) |
fc6524d7 | 302 | |
bb7170f6 | 303 | optional_policy(` |
fc6524d7 CP |
304 | logrotate_exec(ftpd_t) |
305 | ') | |
306 | ') | |
307 | ||
bb7170f6 | 308 | optional_policy(` |
44d5d93f CP |
309 | daemontools_service_domain(ftpd_t, ftpd_exec_t) |
310 | ') | |
311 | ||
09c56f54 | 312 | optional_policy(` |
a53c6c65 CP |
313 | selinux_validate_context(ftpd_t) |
314 | ||
315 | kerberos_keytab_template(ftpd, ftpd_t) | |
316 | kerberos_manage_host_rcache(ftpd_t) | |
09c56f54 CP |
317 | ') |
318 | ||
bb7170f6 | 319 | optional_policy(` |
0bfccda4 | 320 | inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) |
73ef293b | 321 | |
bb7170f6 | 322 | optional_policy(` |
56e1b3d2 | 323 | tcpd_domtrans(tcpd_t) |
77f6e2cd | 324 | ') |
fc6524d7 CP |
325 | ') |
326 | ||
a53c6c65 CP |
327 | optional_policy(` |
328 | dbus_system_bus_client(ftpd_t) | |
329 | ||
330 | optional_policy(` | |
331 | oddjob_dbus_chat(ftpd_t) | |
332 | oddjob_domtrans_mkhomedir(ftpd_t) | |
333 | ') | |
334 | ') | |
335 | ||
bb7170f6 | 336 | optional_policy(` |
fc6524d7 CP |
337 | seutil_sigchld_newrole(ftpd_t) |
338 | ') | |
339 | ||
bb7170f6 | 340 | optional_policy(` |
fc6524d7 CP |
341 | udev_read_db(ftpd_t) |
342 | ') | |
75fbbb0b CP |
343 | |
344 | ######################################## | |
345 | # | |
346 | # ftpdctl local policy | |
347 | # | |
348 | ||
349 | # Allow ftpdctl to talk to ftpd over a socket connection | |
0bfccda4 | 350 | stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) |
75fbbb0b CP |
351 | |
352 | # ftpdctl creates a socket so that the daemon can perform | |
353 | # access control decisions (see comments in ftpd_t rules above) | |
354 | allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; | |
355 | files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) | |
356 | ||
357 | # Allow ftpdctl to read config files | |
358 | files_read_etc_files(ftpdctl_t) | |
296273a7 CP |
359 | |
360 | userdom_use_user_terminals(ftpdctl_t) | |
a53c6c65 CP |
361 | |
362 | ######################################## | |
363 | # | |
364 | # sftpd local policy | |
365 | # | |
366 | ||
367 | files_read_etc_files(sftpd_t) | |
368 | ||
369 | # allow read access to /home by default | |
370 | userdom_read_user_home_content_files(sftpd_t) | |
371 | userdom_read_user_home_content_symlinks(sftpd_t) | |
372 | ||
373 | tunable_policy(`sftpd_enable_homedirs',` | |
374 | allow sftpd_t self:capability { dac_override dac_read_search }; | |
375 | ||
376 | # allow access to /home | |
377 | files_list_home(sftpd_t) | |
378 | userdom_manage_user_home_content_files(sftpd_t) | |
379 | userdom_manage_user_home_content_dirs(sftpd_t) | |
380 | userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) | |
381 | ') | |
382 | ||
383 | tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` | |
384 | fs_manage_nfs_dirs(sftpd_t) | |
385 | fs_manage_nfs_files(sftpd_t) | |
386 | fs_manage_nfs_symlinks(sftpd_t) | |
387 | ') | |
388 | ||
389 | tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` | |
390 | fs_manage_cifs_dirs(sftpd_t) | |
391 | fs_manage_cifs_files(sftpd_t) | |
392 | fs_manage_cifs_symlinks(sftpd_t) | |
393 | ') | |
394 | ||
395 | tunable_policy(`sftpd_full_access',` | |
396 | allow sftpd_t self:capability { dac_override dac_read_search }; | |
397 | fs_read_noxattr_fs_files(sftpd_t) | |
398 | auth_manage_all_files_except_shadow(sftpd_t) | |
399 | ') | |
400 | ||
401 | tunable_policy(`use_samba_home_dirs',` | |
402 | # allow read access to /home by default | |
403 | fs_list_cifs(sftpd_t) | |
404 | fs_read_cifs_files(sftpd_t) | |
405 | fs_read_cifs_symlinks(sftpd_t) | |
406 | ') | |
407 | ||
408 | tunable_policy(`use_nfs_home_dirs',` | |
409 | # allow read access to /home by default | |
410 | fs_list_nfs(sftpd_t) | |
411 | fs_read_nfs_files(sftpd_t) | |
412 | fs_read_nfs_symlinks(ftpd_t) | |
413 | ') |