[people/stevee/selinux-policy.git] / policy / modules / services / ftp.te


policy_module(ftp, 1.12.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow ftp servers to upload files,  used for public file
## transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write, false)

## <desc>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access, false)

## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)

## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)

## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir, false)

## <desc>
## <p>
## Allow anon internal-sftp to upload files, used for
## public file transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)

## <desc>
## <p>
## Allow sftp-internal to read and write files
## in the user home directories
## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)

## <desc>
## <p>
## Allow sftp-internal to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(sftpd_full_access, false)

type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
role system_r types anon_sftpd_t;

type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t, ftpd_exec_t)

type ftpd_etc_t;
files_config_file(ftpd_etc_t)

type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)

type ftpd_lock_t;
files_lock_file(ftpd_lock_t)

type ftpd_tmp_t;
files_tmp_file(ftpd_tmp_t)

type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)

type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)

type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t, ftpdctl_exec_t)

type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)

type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;

type xferlog_t;
logging_log_file(xferlog_t)

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')

########################################
#
# anon-sftp local policy
#

files_read_etc_files(anon_sftpd_t)

miscfiles_read_public_files(anon_sftpd_t)

tunable_policy(`sftpd_anon_write',`
	miscfiles_manage_public_files(anon_sftpd_t)
')

########################################
#
# ftpd local policy
#

allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;

allow ftpd_t ftpd_etc_t:file read_file_perms;

allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)

manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })

manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )

# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };

# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)

kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
kernel_search_network_state(ftpd_t)

dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)

corecmd_exec_bin(ftpd_t)

corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
corenet_tcp_sendrecv_generic_node(ftpd_t)
corenet_udp_sendrecv_generic_node(ftpd_t)
corenet_tcp_sendrecv_all_ports(ftpd_t)
corenet_udp_sendrecv_all_ports(ftpd_t)
corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)

domain_use_interactive_fds(ftpd_t)

files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)

fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)

auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)

init_rw_utmp(ftpd_t)

logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)

miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)

seutil_dontaudit_search_config(ftpd_t)

sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)

userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)

tunable_policy(`allow_ftpd_anon_write',`
	miscfiles_manage_public_files(ftpd_t)
')

tunable_policy(`allow_ftpd_use_cifs',`
	fs_read_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
	fs_manage_cifs_files(ftpd_t)
')

tunable_policy(`allow_ftpd_use_nfs',`
	fs_read_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
	fs_manage_nfs_files(ftpd_t)
')

tunable_policy(`allow_ftpd_full_access',`
	allow ftpd_t self:capability { dac_override dac_read_search };
	auth_manage_all_files_except_shadow(ftpd_t)
')

tunable_policy(`ftp_home_dir',`
	allow ftpd_t self:capability { dac_override dac_read_search };

	# allow access to /home
	files_list_home(ftpd_t)
	userdom_read_user_home_content_files(ftpd_t)
	userdom_manage_user_home_content_dirs(ftpd_t)
	userdom_manage_user_home_content_files(ftpd_t)
	userdom_manage_user_home_content_symlinks(ftpd_t)
	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
')

tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
	fs_manage_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
	fs_manage_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

optional_policy(`
	tunable_policy(`ftp_home_dir',`
		apache_search_sys_content(ftpd_t)
	')
')

optional_policy(`
	corecmd_exec_shell(ftpd_t)

	files_read_usr_files(ftpd_t)

	cron_system_entry(ftpd_t, ftpd_exec_t)

	optional_policy(`
		logrotate_exec(ftpd_t)
	')
')

optional_policy(`
	daemontools_service_domain(ftpd_t, ftpd_exec_t)
')

optional_policy(`
	selinux_validate_context(ftpd_t)

	kerberos_keytab_template(ftpd, ftpd_t)
	kerberos_manage_host_rcache(ftpd_t)
')

optional_policy(`
	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)

	optional_policy(`
		tcpd_domtrans(tcpd_t)
	')
')

optional_policy(`
	dbus_system_bus_client(ftpd_t)

	optional_policy(`
		oddjob_dbus_chat(ftpd_t)
		oddjob_domtrans_mkhomedir(ftpd_t)
	')
')

optional_policy(`
	seutil_sigchld_newrole(ftpd_t)
')

optional_policy(`
	udev_read_db(ftpd_t)
')

########################################
#
# ftpdctl local policy
#

# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)

# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)

# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)

userdom_use_user_terminals(ftpdctl_t)

########################################
#
# sftpd local policy
#

files_read_etc_files(sftpd_t)

# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)

tunable_policy(`sftpd_enable_homedirs',`
	allow sftpd_t self:capability { dac_override dac_read_search };

	# allow access to /home
	files_list_home(sftpd_t)
	userdom_manage_user_home_content_files(sftpd_t)
	userdom_manage_user_home_content_dirs(sftpd_t)
	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
')

tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
	fs_manage_nfs_dirs(sftpd_t)
	fs_manage_nfs_files(sftpd_t)
	fs_manage_nfs_symlinks(sftpd_t)
')

tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
	fs_manage_cifs_dirs(sftpd_t)
	fs_manage_cifs_files(sftpd_t)
	fs_manage_cifs_symlinks(sftpd_t)
')

tunable_policy(`sftpd_full_access',`
	allow sftpd_t self:capability { dac_override dac_read_search };
	fs_read_noxattr_fs_files(sftpd_t)
	auth_manage_all_files_except_shadow(sftpd_t)
')

tunable_policy(`use_samba_home_dirs',`
	# allow read access to /home by default
	fs_list_cifs(sftpd_t)
	fs_read_cifs_files(sftpd_t)
	fs_read_cifs_symlinks(sftpd_t)
')

tunable_policy(`use_nfs_home_dirs',`
	# allow read access to /home by default
	fs_list_nfs(sftpd_t)
	fs_read_nfs_files(sftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')
Commit	Line	Data
fc6524d7	1
29af4c13	2	policy_module(ftp, 1.12.0)
fc6524d7 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
56e1b3d2 CP	10	## <p>
dd9e1de3 CP	11	## Allow ftp servers to upload files, used for public file
	12	## transfer services. Directories must be labeled
	13	## public_content_rw_t.
56e1b3d2 CP	14	## </p>
56e1b3d2 CP	15	## </desc>
0bfccda4	16	gen_tunable(allow_ftpd_anon_write, false)
56e1b3d2 CP	17
	18	## <desc>
	19	## <p>
a53c6c65	20	## Allow ftp servers to login to local users and
56e1b3d2 CP	21	## read/write all files on the system, governed by DAC.
	22	## </p>
	23	## </desc>
0bfccda4	24	gen_tunable(allow_ftpd_full_access, false)
56e1b3d2 CP	25
	26	## <desc>
	27	## <p>
	28	## Allow ftp servers to use cifs
	29	## used for public file transfer services.
	30	## </p>
	31	## </desc>
0bfccda4	32	gen_tunable(allow_ftpd_use_cifs, false)
56e1b3d2 CP	33
	34	## <desc>
	35	## <p>
	36	## Allow ftp servers to use nfs
	37	## used for public file transfer services.
	38	## </p>
	39	## </desc>
0bfccda4	40	gen_tunable(allow_ftpd_use_nfs, false)
56e1b3d2 CP	41
	42	## <desc>
	43	## <p>
	44	## Allow ftp to read and write files in the user home directories
	45	## </p>
	46	## </desc>
0bfccda4	47	gen_tunable(ftp_home_dir, false)
56e1b3d2	48
a53c6c65 CP	49	## <desc>
	50	## <p>
	51	## Allow anon internal-sftp to upload files, used for
	52	## public file transfer services. Directories must be labeled
	53	## public_content_rw_t.
	54	## </p>
	55	## </desc>
	56	gen_tunable(sftpd_anon_write, false)
	57
	58	## <desc>
	59	## <p>
	60	## Allow sftp-internal to read and write files
	61	## in the user home directories
	62	## </p>
	63	## </desc>
	64	gen_tunable(sftpd_enable_homedirs, false)
	65
	66	## <desc>
	67	## <p>
	68	## Allow sftp-internal to login to local users and
	69	## read/write all files on the system, governed by DAC.
	70	## </p>
	71	## </desc>
	72	gen_tunable(sftpd_full_access, false)
	73
	74	type anon_sftpd_t;
	75	typealias anon_sftpd_t alias sftpd_anon_t;
	76	domain_type(anon_sftpd_t)
	77	role system_r types anon_sftpd_t;
	78
fc6524d7 CP	79	type ftpd_t;
fc6524d7 CP	80	type ftpd_exec_t;
0bfccda4	81	init_daemon_domain(ftpd_t, ftpd_exec_t)
fc6524d7 CP	82
fc6524d7 CP	83	type ftpd_etc_t;
9bbc757a	84	files_config_file(ftpd_etc_t)
fc6524d7	85
967fd1ba CP	86	type ftpd_initrc_exec_t;
	87	init_script_file(ftpd_initrc_exec_t)
	88
fc6524d7 CP	89	type ftpd_lock_t;
	90	files_lock_file(ftpd_lock_t)
	91
	92	type ftpd_tmp_t;
	93	files_tmp_file(ftpd_tmp_t)
	94
	95	type ftpd_tmpfs_t;
	96	files_tmpfs_file(ftpd_tmpfs_t)
	97
	98	type ftpd_var_run_t;
	99	files_pid_file(ftpd_var_run_t)
	100
75fbbb0b CP	101	type ftpdctl_t;
75fbbb0b CP	102	type ftpdctl_exec_t;
0bfccda4	103	init_system_domain(ftpdctl_t, ftpdctl_exec_t)
75fbbb0b CP	104
	105	type ftpdctl_tmp_t;
	106	files_tmp_file(ftpdctl_tmp_t)
	107
a53c6c65 CP	108	type sftpd_t;
	109	domain_type(sftpd_t)
	110	role system_r types sftpd_t;
	111
fc6524d7 CP	112	type xferlog_t;
	113	logging_log_file(xferlog_t)
	114
a53c6c65 CP	115	ifdef(`enable_mcs',`
	116	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
	117	')
	118
	119	########################################
	120	#
	121	# anon-sftp local policy
	122	#
	123
	124	files_read_etc_files(anon_sftpd_t)
	125
	126	miscfiles_read_public_files(anon_sftpd_t)
	127
	128	tunable_policy(`sftpd_anon_write',`
	129	miscfiles_manage_public_files(anon_sftpd_t)
	130	')
	131
fc6524d7 CP	132	########################################
fc6524d7 CP	133	#
75fbbb0b	134	# ftpd local policy
fc6524d7 CP	135	#
	136
	137	allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
	138	dontaudit ftpd_t self:capability sys_tty_config;
a53c6c65	139	allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
c0868a7a	140	allow ftpd_t self:fifo_file rw_fifo_file_perms;
fc6524d7	141	allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
75fbbb0b	142	allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
fc6524d7 CP	143	allow ftpd_t self:tcp_socket create_stream_socket_perms;
fc6524d7 CP	144	allow ftpd_t self:udp_socket create_socket_perms;
a53c6c65 CP	145	allow ftpd_t self:shm create_shm_perms;
a53c6c65 CP	146	allow ftpd_t self:key manage_key_perms;
fc6524d7	147
c0868a7a	148	allow ftpd_t ftpd_etc_t:file read_file_perms;
fc6524d7	149
56e1b3d2	150	allow ftpd_t ftpd_lock_t:file manage_file_perms;
0bfccda4	151	files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
56e1b3d2	152
0bfccda4 CP	153	manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
0bfccda4 CP	154	manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
103fe280	155	files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
fc6524d7	156
0bfccda4 CP	157	manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	158	manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	159	manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	160	manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	161	manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	162	fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
fc6524d7	163
967fd1ba	164	manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
0bfccda4 CP	165	manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
0bfccda4 CP	166	manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
967fd1ba	167	files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
e6a2eaff	168
75fbbb0b CP	169	# proftpd requires the client side to bind a socket so that
	170	# it can stat the socket to perform access control decisions,
	171	# since getsockopt with SO_PEERCRED is not available on all
	172	# proftpd-supported OSs
	173	allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
	174
fc6524d7	175	# Create and modify /var/log/xferlog.
a53c6c65	176	manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
0bfccda4	177	logging_log_filetrans(ftpd_t, xferlog_t, file)
fc6524d7	178
445522dc	179	kernel_read_kernel_sysctls(ftpd_t)
fc6524d7	180	kernel_read_system_state(ftpd_t)
967fd1ba	181	kernel_search_network_state(ftpd_t)
fc6524d7 CP	182
	183	dev_read_sysfs(ftpd_t)
	184	dev_read_urand(ftpd_t)
	185
049e11af	186	corecmd_exec_bin(ftpd_t)
fc6524d7	187
19006686 CP	188	corenet_all_recvfrom_unlabeled(ftpd_t)
19006686 CP	189	corenet_all_recvfrom_netlabel(ftpd_t)
668b3093 CP	190	corenet_tcp_sendrecv_generic_if(ftpd_t)
668b3093 CP	191	corenet_udp_sendrecv_generic_if(ftpd_t)
c1262146 CP	192	corenet_tcp_sendrecv_generic_node(ftpd_t)
c1262146 CP	193	corenet_udp_sendrecv_generic_node(ftpd_t)
fc6524d7 CP	194	corenet_tcp_sendrecv_all_ports(ftpd_t)
fc6524d7 CP	195	corenet_udp_sendrecv_all_ports(ftpd_t)
c1262146	196	corenet_tcp_bind_generic_node(ftpd_t)
9a879bd7	197	corenet_tcp_bind_ftp_port(ftpd_t)
fc6524d7 CP	198	corenet_tcp_bind_ftp_data_port(ftpd_t)
fc6524d7 CP	199	corenet_tcp_bind_generic_port(ftpd_t)
6b19be33 CP	200	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
6b19be33 CP	201	corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
fc6524d7	202	corenet_tcp_connect_all_ports(ftpd_t)
9a879bd7	203	corenet_sendrecv_ftp_server_packets(ftpd_t)
fc6524d7	204
15722ec9	205	domain_use_interactive_fds(ftpd_t)
049e11af CP	206
	207	files_search_etc(ftpd_t)
	208	files_read_etc_files(ftpd_t)
	209	files_read_etc_runtime_files(ftpd_t)
9e04f5c5	210	files_search_var_lib(ftpd_t)
049e11af CP	211
	212	fs_search_auto_mountpoints(ftpd_t)
	213	fs_getattr_all_fs(ftpd_t)
a53c6c65	214	fs_search_fusefs(ftpd_t)
049e11af	215
049e11af	216	auth_use_nsswitch(ftpd_t)
e6a2eaff	217	auth_domtrans_chk_passwd(ftpd_t)
fc6524d7 CP	218	# Append to /var/log/wtmp.
	219	auth_append_login_records(ftpd_t)
	220	#kerberized ftp requires the following
	221	auth_write_login_records(ftpd_t)
09c56f54	222	auth_rw_faillog(ftpd_t)
fc6524d7	223
d6d16b97	224	init_rw_utmp(ftpd_t)
fc6524d7	225
967fd1ba	226	logging_send_audit_msgs(ftpd_t)
fc6524d7	227	logging_send_syslog_msg(ftpd_t)
967fd1ba	228	logging_set_loginuid(ftpd_t)
fc6524d7 CP	229
	230	miscfiles_read_localization(ftpd_t)
	231	miscfiles_read_public_files(ftpd_t)
	232
	233	seutil_dontaudit_search_config(ftpd_t)
	234
	235	sysnet_read_config(ftpd_t)
85a0f967	236	sysnet_use_ldap(ftpd_t)
fc6524d7	237
15722ec9	238	userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
296273a7	239	userdom_dontaudit_search_user_home_dirs(ftpd_t)
e9c6cda7	240
fc6524d7 CP	241	tunable_policy(`allow_ftpd_anon_write',`
fc6524d7 CP	242	miscfiles_manage_public_files(ftpd_t)
522b59bb CP	243	')
	244
	245	tunable_policy(`allow_ftpd_use_cifs',`
	246	fs_read_cifs_files(ftpd_t)
	247	fs_read_cifs_symlinks(ftpd_t)
	248	')
	249
	250	tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
	251	fs_manage_cifs_files(ftpd_t)
	252	')
	253
	254	tunable_policy(`allow_ftpd_use_nfs',`
	255	fs_read_nfs_files(ftpd_t)
	256	fs_read_nfs_symlinks(ftpd_t)
	257	')
	258
	259	tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
	260	fs_manage_nfs_files(ftpd_t)
	261	')
fc6524d7	262
6b19be33 CP	263	tunable_policy(`allow_ftpd_full_access',`
	264	allow ftpd_t self:capability { dac_override dac_read_search };
	265	auth_manage_all_files_except_shadow(ftpd_t)
	266	')
	267
fc6524d7	268	tunable_policy(`ftp_home_dir',`
165b42d2 CP	269	allow ftpd_t self:capability { dac_override dac_read_search };
165b42d2 CP	270
fc6524d7	271	# allow access to /home
d8636fc9	272	files_list_home(ftpd_t)
296273a7 CP	273	userdom_read_user_home_content_files(ftpd_t)
	274	userdom_manage_user_home_content_dirs(ftpd_t)
	275	userdom_manage_user_home_content_files(ftpd_t)
	276	userdom_manage_user_home_content_symlinks(ftpd_t)
	277	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
fc6524d7 CP	278	')
fc6524d7 CP	279
522b59bb CP	280	tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
	281	fs_manage_nfs_files(ftpd_t)
	282	fs_read_nfs_symlinks(ftpd_t)
	283	')
	284
	285	tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
	286	fs_manage_cifs_files(ftpd_t)
	287	fs_read_cifs_symlinks(ftpd_t)
	288	')
	289
46551033 CP	290	optional_policy(`
	291	tunable_policy(`ftp_home_dir',`
	292	apache_search_sys_content(ftpd_t)
	293	')
	294	')
	295
bb7170f6	296	optional_policy(`
fc6524d7 CP	297	corecmd_exec_shell(ftpd_t)
fc6524d7 CP	298
77f6e2cd	299	files_read_usr_files(ftpd_t)
fc6524d7	300
3f67f722	301	cron_system_entry(ftpd_t, ftpd_exec_t)
fc6524d7	302
bb7170f6	303	optional_policy(`
fc6524d7 CP	304	logrotate_exec(ftpd_t)
	305	')
	306	')
	307
bb7170f6	308	optional_policy(`
44d5d93f CP	309	daemontools_service_domain(ftpd_t, ftpd_exec_t)
	310	')
	311
09c56f54	312	optional_policy(`
a53c6c65 CP	313	selinux_validate_context(ftpd_t)
	314
	315	kerberos_keytab_template(ftpd, ftpd_t)
	316	kerberos_manage_host_rcache(ftpd_t)
09c56f54 CP	317	')
09c56f54 CP	318
bb7170f6	319	optional_policy(`
0bfccda4	320	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
73ef293b	321
bb7170f6	322	optional_policy(`
56e1b3d2	323	tcpd_domtrans(tcpd_t)
77f6e2cd	324	')
fc6524d7 CP	325	')
fc6524d7 CP	326
a53c6c65 CP	327	optional_policy(`
	328	dbus_system_bus_client(ftpd_t)
	329
	330	optional_policy(`
	331	oddjob_dbus_chat(ftpd_t)
	332	oddjob_domtrans_mkhomedir(ftpd_t)
	333	')
	334	')
	335
bb7170f6	336	optional_policy(`
fc6524d7 CP	337	seutil_sigchld_newrole(ftpd_t)
	338	')
	339
bb7170f6	340	optional_policy(`
fc6524d7 CP	341	udev_read_db(ftpd_t)
fc6524d7 CP	342	')
75fbbb0b CP	343
	344	########################################
	345	#
	346	# ftpdctl local policy
	347	#
	348
	349	# Allow ftpdctl to talk to ftpd over a socket connection
0bfccda4	350	stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
75fbbb0b CP	351
	352	# ftpdctl creates a socket so that the daemon can perform
	353	# access control decisions (see comments in ftpd_t rules above)
	354	allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
	355	files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
	356
	357	# Allow ftpdctl to read config files
	358	files_read_etc_files(ftpdctl_t)
296273a7 CP	359
296273a7 CP	360	userdom_use_user_terminals(ftpdctl_t)
a53c6c65 CP	361
	362	########################################
	363	#
	364	# sftpd local policy
	365	#
	366
	367	files_read_etc_files(sftpd_t)
	368
	369	# allow read access to /home by default
	370	userdom_read_user_home_content_files(sftpd_t)
	371	userdom_read_user_home_content_symlinks(sftpd_t)
	372
	373	tunable_policy(`sftpd_enable_homedirs',`
	374	allow sftpd_t self:capability { dac_override dac_read_search };
	375
	376	# allow access to /home
	377	files_list_home(sftpd_t)
	378	userdom_manage_user_home_content_files(sftpd_t)
	379	userdom_manage_user_home_content_dirs(sftpd_t)
	380	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
	381	')
	382
	383	tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
	384	fs_manage_nfs_dirs(sftpd_t)
	385	fs_manage_nfs_files(sftpd_t)
	386	fs_manage_nfs_symlinks(sftpd_t)
	387	')
	388
	389	tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
	390	fs_manage_cifs_dirs(sftpd_t)
	391	fs_manage_cifs_files(sftpd_t)
	392	fs_manage_cifs_symlinks(sftpd_t)
	393	')
	394
	395	tunable_policy(`sftpd_full_access',`
	396	allow sftpd_t self:capability { dac_override dac_read_search };
	397	fs_read_noxattr_fs_files(sftpd_t)
	398	auth_manage_all_files_except_shadow(sftpd_t)
	399	')
	400
	401	tunable_policy(`use_samba_home_dirs',`
	402	# allow read access to /home by default
	403	fs_list_cifs(sftpd_t)
	404	fs_read_cifs_files(sftpd_t)
	405	fs_read_cifs_symlinks(sftpd_t)
	406	')
	407
	408	tunable_policy(`use_nfs_home_dirs',`
	409	# allow read access to /home by default
	410	fs_list_nfs(sftpd_t)
	411	fs_read_nfs_files(sftpd_t)
	412	fs_read_nfs_symlinks(ftpd_t)
	413	')