]>
Commit | Line | Data |
---|---|---|
fc6524d7 | 1 | |
f7925f25 | 2 | policy_module(ftp,1.7.0) |
fc6524d7 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
dd9e1de3 CP |
11 | ## Allow ftp servers to upload files, used for public file |
12 | ## transfer services. Directories must be labeled | |
13 | ## public_content_rw_t. | |
56e1b3d2 CP |
14 | ## </p> |
15 | ## </desc> | |
16 | gen_tunable(allow_ftpd_anon_write,false) | |
17 | ||
18 | ## <desc> | |
19 | ## <p> | |
20 | ## Allow ftp servers to login to local users and | |
21 | ## read/write all files on the system, governed by DAC. | |
22 | ## </p> | |
23 | ## </desc> | |
24 | gen_tunable(allow_ftpd_full_access,false) | |
25 | ||
26 | ## <desc> | |
27 | ## <p> | |
28 | ## Allow ftp servers to use cifs | |
29 | ## used for public file transfer services. | |
30 | ## </p> | |
31 | ## </desc> | |
32 | gen_tunable(allow_ftpd_use_cifs,false) | |
33 | ||
34 | ## <desc> | |
35 | ## <p> | |
36 | ## Allow ftp servers to use nfs | |
37 | ## used for public file transfer services. | |
38 | ## </p> | |
39 | ## </desc> | |
40 | gen_tunable(allow_ftpd_use_nfs,false) | |
41 | ||
42 | ## <desc> | |
43 | ## <p> | |
44 | ## Allow ftp to read and write files in the user home directories | |
45 | ## </p> | |
46 | ## </desc> | |
47 | gen_tunable(ftp_home_dir,false) | |
48 | ||
fc6524d7 CP |
49 | type ftpd_t; |
50 | type ftpd_exec_t; | |
51 | init_daemon_domain(ftpd_t,ftpd_exec_t) | |
52 | ||
53 | type ftpd_etc_t; | |
9bbc757a | 54 | files_config_file(ftpd_etc_t) |
fc6524d7 | 55 | |
fc6524d7 CP |
56 | type ftpd_lock_t; |
57 | files_lock_file(ftpd_lock_t) | |
58 | ||
59 | type ftpd_tmp_t; | |
60 | files_tmp_file(ftpd_tmp_t) | |
61 | ||
62 | type ftpd_tmpfs_t; | |
63 | files_tmpfs_file(ftpd_tmpfs_t) | |
64 | ||
65 | type ftpd_var_run_t; | |
66 | files_pid_file(ftpd_var_run_t) | |
67 | ||
75fbbb0b CP |
68 | type ftpdctl_t; |
69 | type ftpdctl_exec_t; | |
70 | init_system_domain(ftpdctl_t,ftpdctl_exec_t) | |
71 | ||
72 | type ftpdctl_tmp_t; | |
73 | files_tmp_file(ftpdctl_tmp_t) | |
74 | ||
fc6524d7 CP |
75 | type xferlog_t; |
76 | logging_log_file(xferlog_t) | |
77 | ||
78 | ######################################## | |
79 | # | |
75fbbb0b | 80 | # ftpd local policy |
fc6524d7 CP |
81 | # |
82 | ||
83 | allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; | |
84 | dontaudit ftpd_t self:capability sys_tty_config; | |
85 | allow ftpd_t self:process signal_perms; | |
86 | allow ftpd_t self:process { getcap setcap setsched setrlimit }; | |
c0868a7a | 87 | allow ftpd_t self:fifo_file rw_fifo_file_perms; |
fc6524d7 | 88 | allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; |
75fbbb0b | 89 | allow ftpd_t self:unix_stream_socket create_stream_socket_perms; |
fc6524d7 CP |
90 | allow ftpd_t self:tcp_socket create_stream_socket_perms; |
91 | allow ftpd_t self:udp_socket create_socket_perms; | |
92 | ||
c0868a7a | 93 | allow ftpd_t ftpd_etc_t:file read_file_perms; |
fc6524d7 | 94 | |
56e1b3d2 CP |
95 | allow ftpd_t ftpd_lock_t:file manage_file_perms; |
96 | files_lock_filetrans(ftpd_t,ftpd_lock_t,file) | |
97 | ||
c0868a7a CP |
98 | manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) |
99 | manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) | |
103fe280 | 100 | files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) |
fc6524d7 | 101 | |
c0868a7a CP |
102 | manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) |
103 | manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
104 | manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
105 | manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
106 | manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) | |
103fe280 | 107 | fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
fc6524d7 | 108 | |
c0868a7a CP |
109 | manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) |
110 | manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) | |
1c1ac67f | 111 | files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) |
e6a2eaff | 112 | |
75fbbb0b CP |
113 | # proftpd requires the client side to bind a socket so that |
114 | # it can stat the socket to perform access control decisions, | |
115 | # since getsockopt with SO_PEERCRED is not available on all | |
116 | # proftpd-supported OSs | |
117 | allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; | |
118 | ||
fc6524d7 | 119 | # Create and modify /var/log/xferlog. |
8cfa5a00 | 120 | allow ftpd_t xferlog_t:dir search_dir_perms; |
c0868a7a | 121 | allow ftpd_t xferlog_t:file manage_file_perms; |
1c1ac67f | 122 | logging_log_filetrans(ftpd_t,xferlog_t,file) |
fc6524d7 | 123 | |
445522dc | 124 | kernel_read_kernel_sysctls(ftpd_t) |
fc6524d7 CP |
125 | kernel_read_system_state(ftpd_t) |
126 | ||
127 | dev_read_sysfs(ftpd_t) | |
128 | dev_read_urand(ftpd_t) | |
129 | ||
049e11af | 130 | corecmd_exec_bin(ftpd_t) |
fc6524d7 | 131 | |
19006686 CP |
132 | corenet_all_recvfrom_unlabeled(ftpd_t) |
133 | corenet_all_recvfrom_netlabel(ftpd_t) | |
fc6524d7 CP |
134 | corenet_tcp_sendrecv_all_if(ftpd_t) |
135 | corenet_udp_sendrecv_all_if(ftpd_t) | |
fc6524d7 CP |
136 | corenet_tcp_sendrecv_all_nodes(ftpd_t) |
137 | corenet_udp_sendrecv_all_nodes(ftpd_t) | |
fc6524d7 CP |
138 | corenet_tcp_sendrecv_all_ports(ftpd_t) |
139 | corenet_udp_sendrecv_all_ports(ftpd_t) | |
140 | corenet_tcp_bind_all_nodes(ftpd_t) | |
9a879bd7 | 141 | corenet_tcp_bind_ftp_port(ftpd_t) |
fc6524d7 CP |
142 | corenet_tcp_bind_ftp_data_port(ftpd_t) |
143 | corenet_tcp_bind_generic_port(ftpd_t) | |
6b19be33 CP |
144 | corenet_tcp_bind_all_unreserved_ports(ftpd_t) |
145 | corenet_dontaudit_tcp_bind_all_ports(ftpd_t) | |
fc6524d7 | 146 | corenet_tcp_connect_all_ports(ftpd_t) |
9a879bd7 | 147 | corenet_sendrecv_ftp_server_packets(ftpd_t) |
fc6524d7 | 148 | |
15722ec9 | 149 | domain_use_interactive_fds(ftpd_t) |
049e11af CP |
150 | |
151 | files_search_etc(ftpd_t) | |
152 | files_read_etc_files(ftpd_t) | |
153 | files_read_etc_runtime_files(ftpd_t) | |
9e04f5c5 | 154 | files_search_var_lib(ftpd_t) |
049e11af CP |
155 | |
156 | fs_search_auto_mountpoints(ftpd_t) | |
157 | fs_getattr_all_fs(ftpd_t) | |
158 | ||
049e11af | 159 | auth_use_nsswitch(ftpd_t) |
e6a2eaff | 160 | auth_domtrans_chk_passwd(ftpd_t) |
fc6524d7 CP |
161 | # Append to /var/log/wtmp. |
162 | auth_append_login_records(ftpd_t) | |
163 | #kerberized ftp requires the following | |
164 | auth_write_login_records(ftpd_t) | |
09c56f54 | 165 | auth_rw_faillog(ftpd_t) |
fc6524d7 | 166 | |
d6d16b97 | 167 | init_rw_utmp(ftpd_t) |
fc6524d7 CP |
168 | |
169 | libs_use_ld_so(ftpd_t) | |
170 | libs_use_shared_libs(ftpd_t) | |
171 | ||
172 | logging_send_syslog_msg(ftpd_t) | |
173 | ||
174 | miscfiles_read_localization(ftpd_t) | |
175 | miscfiles_read_public_files(ftpd_t) | |
176 | ||
177 | seutil_dontaudit_search_config(ftpd_t) | |
178 | ||
179 | sysnet_read_config(ftpd_t) | |
85a0f967 | 180 | sysnet_use_ldap(ftpd_t) |
fc6524d7 | 181 | |
103fe280 | 182 | userdom_dontaudit_search_sysadm_home_dirs(ftpd_t) |
15722ec9 | 183 | userdom_dontaudit_use_unpriv_user_fds(ftpd_t) |
fc6524d7 | 184 | |
fc6524d7 CP |
185 | tunable_policy(`allow_ftpd_anon_write',` |
186 | miscfiles_manage_public_files(ftpd_t) | |
522b59bb CP |
187 | ') |
188 | ||
189 | tunable_policy(`allow_ftpd_use_cifs',` | |
190 | fs_read_cifs_files(ftpd_t) | |
191 | fs_read_cifs_symlinks(ftpd_t) | |
192 | ') | |
193 | ||
194 | tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` | |
195 | fs_manage_cifs_files(ftpd_t) | |
196 | ') | |
197 | ||
198 | tunable_policy(`allow_ftpd_use_nfs',` | |
199 | fs_read_nfs_files(ftpd_t) | |
200 | fs_read_nfs_symlinks(ftpd_t) | |
201 | ') | |
202 | ||
203 | tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` | |
204 | fs_manage_nfs_files(ftpd_t) | |
205 | ') | |
fc6524d7 | 206 | |
6b19be33 CP |
207 | tunable_policy(`allow_ftpd_full_access',` |
208 | allow ftpd_t self:capability { dac_override dac_read_search }; | |
209 | auth_manage_all_files_except_shadow(ftpd_t) | |
210 | ') | |
211 | ||
fc6524d7 | 212 | tunable_policy(`ftp_home_dir',` |
165b42d2 CP |
213 | allow ftpd_t self:capability { dac_override dac_read_search }; |
214 | ||
fc6524d7 | 215 | # allow access to /home |
d8636fc9 | 216 | files_list_home(ftpd_t) |
103fe280 CP |
217 | userdom_read_all_users_home_content_files(ftpd_t) |
218 | userdom_manage_all_users_home_content_dirs(ftpd_t) | |
219 | userdom_manage_all_users_home_content_files(ftpd_t) | |
220 | userdom_manage_all_users_home_content_symlinks(ftpd_t) | |
fc6524d7 CP |
221 | ') |
222 | ||
522b59bb CP |
223 | tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` |
224 | fs_manage_nfs_files(ftpd_t) | |
225 | fs_read_nfs_symlinks(ftpd_t) | |
226 | ') | |
227 | ||
228 | tunable_policy(`ftp_home_dir && use_samba_home_dirs',` | |
229 | fs_manage_cifs_files(ftpd_t) | |
230 | fs_read_cifs_symlinks(ftpd_t) | |
231 | ') | |
232 | ||
46551033 CP |
233 | optional_policy(` |
234 | tunable_policy(`ftp_home_dir',` | |
235 | apache_search_sys_content(ftpd_t) | |
236 | ') | |
237 | ') | |
238 | ||
bb7170f6 | 239 | optional_policy(` |
fc6524d7 CP |
240 | corecmd_exec_shell(ftpd_t) |
241 | ||
77f6e2cd | 242 | files_read_usr_files(ftpd_t) |
fc6524d7 CP |
243 | |
244 | cron_system_entry(ftpd_t, ftpd_exec_t) | |
245 | ||
bb7170f6 | 246 | optional_policy(` |
fc6524d7 CP |
247 | logrotate_exec(ftpd_t) |
248 | ') | |
249 | ') | |
250 | ||
bb7170f6 | 251 | optional_policy(` |
44d5d93f CP |
252 | daemontools_service_domain(ftpd_t, ftpd_exec_t) |
253 | ') | |
254 | ||
09c56f54 CP |
255 | optional_policy(` |
256 | kerberos_read_keytab(ftpd_t) | |
257 | ') | |
258 | ||
bb7170f6 | 259 | optional_policy(` |
73ef293b CP |
260 | inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) |
261 | ||
bb7170f6 | 262 | optional_policy(` |
56e1b3d2 | 263 | tcpd_domtrans(tcpd_t) |
77f6e2cd | 264 | ') |
fc6524d7 CP |
265 | ') |
266 | ||
bb7170f6 | 267 | optional_policy(` |
fc6524d7 CP |
268 | seutil_sigchld_newrole(ftpd_t) |
269 | ') | |
270 | ||
bb7170f6 | 271 | optional_policy(` |
fc6524d7 CP |
272 | udev_read_db(ftpd_t) |
273 | ') | |
75fbbb0b CP |
274 | |
275 | ######################################## | |
276 | # | |
277 | # ftpdctl local policy | |
278 | # | |
279 | ||
280 | # Allow ftpdctl to talk to ftpd over a socket connection | |
c0868a7a | 281 | stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t) |
75fbbb0b CP |
282 | |
283 | # ftpdctl creates a socket so that the daemon can perform | |
284 | # access control decisions (see comments in ftpd_t rules above) | |
285 | allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; | |
286 | files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) | |
287 | ||
288 | # Allow ftpdctl to read config files | |
289 | files_read_etc_files(ftpdctl_t) | |
290 | ||
291 | libs_use_ld_so(ftpdctl_t) | |
292 | libs_use_shared_libs(ftpdctl_t) |