[people/stevee/selinux-policy.git] / policy / modules / services / ftp.te


policy_module(ftp,1.7.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow ftp servers to upload files,  used for public file
## transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write,false)

## <desc>
## <p>
## Allow ftp servers to login to local users and 
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access,false)

## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs,false)

## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs,false)

## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir,false)

type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)

type ftpd_etc_t;
files_config_file(ftpd_etc_t)

type ftpd_lock_t;
files_lock_file(ftpd_lock_t)

type ftpd_tmp_t;
files_tmp_file(ftpd_tmp_t)

type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)

type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)

type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t,ftpdctl_exec_t)

type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)

type xferlog_t;
logging_log_file(xferlog_t)

########################################
#
# ftpd local policy
#

allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;

allow ftpd_t ftpd_etc_t:file read_file_perms;

allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)

manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })

manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)

# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };

# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:dir search_dir_perms;
allow ftpd_t xferlog_t:file manage_file_perms;
logging_log_filetrans(ftpd_t,xferlog_t,file)

kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)

dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)

corecmd_exec_bin(ftpd_t)

corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
corenet_tcp_sendrecv_all_nodes(ftpd_t)
corenet_udp_sendrecv_all_nodes(ftpd_t)
corenet_tcp_sendrecv_all_ports(ftpd_t)
corenet_udp_sendrecv_all_ports(ftpd_t)
corenet_tcp_bind_all_nodes(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)

domain_use_interactive_fds(ftpd_t)

files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)

fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)

auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)

init_rw_utmp(ftpd_t)

libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)

logging_send_syslog_msg(ftpd_t)

miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)

seutil_dontaudit_search_config(ftpd_t)

sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)

userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)

tunable_policy(`allow_ftpd_anon_write',`
	miscfiles_manage_public_files(ftpd_t)
')

tunable_policy(`allow_ftpd_use_cifs',`
	fs_read_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
	fs_manage_cifs_files(ftpd_t)
')

tunable_policy(`allow_ftpd_use_nfs',`
	fs_read_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
	fs_manage_nfs_files(ftpd_t)
')

tunable_policy(`allow_ftpd_full_access',`
	allow ftpd_t self:capability { dac_override dac_read_search };
	auth_manage_all_files_except_shadow(ftpd_t)
')

tunable_policy(`ftp_home_dir',`
	allow ftpd_t self:capability { dac_override dac_read_search };

	# allow access to /home
	files_list_home(ftpd_t)
	userdom_read_all_users_home_content_files(ftpd_t)
	userdom_manage_all_users_home_content_dirs(ftpd_t)
	userdom_manage_all_users_home_content_files(ftpd_t)
	userdom_manage_all_users_home_content_symlinks(ftpd_t)
')

tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
	fs_manage_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
	fs_manage_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

optional_policy(`
	tunable_policy(`ftp_home_dir',`
		apache_search_sys_content(ftpd_t)
	')
')

optional_policy(`
	corecmd_exec_shell(ftpd_t)

	files_read_usr_files(ftpd_t)

       	cron_system_entry(ftpd_t, ftpd_exec_t)

	optional_policy(`
		logrotate_exec(ftpd_t)
	')
')

optional_policy(`
	daemontools_service_domain(ftpd_t, ftpd_exec_t)
')

optional_policy(`
	kerberos_read_keytab(ftpd_t)
')

optional_policy(`
	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)

	optional_policy(`
		tcpd_domtrans(tcpd_t)
	')
')

optional_policy(`
	seutil_sigchld_newrole(ftpd_t)
')

optional_policy(`
	udev_read_db(ftpd_t)
')

########################################
#
# ftpdctl local policy
#

# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t)

# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)

# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)

libs_use_ld_so(ftpdctl_t)
libs_use_shared_libs(ftpdctl_t)
Commit	Line	Data
fc6524d7	1
f7925f25	2	policy_module(ftp,1.7.0)
fc6524d7 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
56e1b3d2 CP	10	## <p>
dd9e1de3 CP	11	## Allow ftp servers to upload files, used for public file
	12	## transfer services. Directories must be labeled
	13	## public_content_rw_t.
56e1b3d2 CP	14	## </p>
	15	## </desc>
	16	gen_tunable(allow_ftpd_anon_write,false)
	17
	18	## <desc>
	19	## <p>
	20	## Allow ftp servers to login to local users and
	21	## read/write all files on the system, governed by DAC.
	22	## </p>
	23	## </desc>
	24	gen_tunable(allow_ftpd_full_access,false)
	25
	26	## <desc>
	27	## <p>
	28	## Allow ftp servers to use cifs
	29	## used for public file transfer services.
	30	## </p>
	31	## </desc>
	32	gen_tunable(allow_ftpd_use_cifs,false)
	33
	34	## <desc>
	35	## <p>
	36	## Allow ftp servers to use nfs
	37	## used for public file transfer services.
	38	## </p>
	39	## </desc>
	40	gen_tunable(allow_ftpd_use_nfs,false)
	41
	42	## <desc>
	43	## <p>
	44	## Allow ftp to read and write files in the user home directories
	45	## </p>
	46	## </desc>
	47	gen_tunable(ftp_home_dir,false)
	48
fc6524d7 CP	49	type ftpd_t;
	50	type ftpd_exec_t;
	51	init_daemon_domain(ftpd_t,ftpd_exec_t)
	52
	53	type ftpd_etc_t;
9bbc757a	54	files_config_file(ftpd_etc_t)
fc6524d7	55
fc6524d7 CP	56	type ftpd_lock_t;
	57	files_lock_file(ftpd_lock_t)
	58
	59	type ftpd_tmp_t;
	60	files_tmp_file(ftpd_tmp_t)
	61
	62	type ftpd_tmpfs_t;
	63	files_tmpfs_file(ftpd_tmpfs_t)
	64
	65	type ftpd_var_run_t;
	66	files_pid_file(ftpd_var_run_t)
	67
75fbbb0b CP	68	type ftpdctl_t;
	69	type ftpdctl_exec_t;
	70	init_system_domain(ftpdctl_t,ftpdctl_exec_t)
	71
	72	type ftpdctl_tmp_t;
	73	files_tmp_file(ftpdctl_tmp_t)
	74
fc6524d7 CP	75	type xferlog_t;
	76	logging_log_file(xferlog_t)
	77
	78	########################################
	79	#
75fbbb0b	80	# ftpd local policy
fc6524d7 CP	81	#
	82
	83	allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
	84	dontaudit ftpd_t self:capability sys_tty_config;
	85	allow ftpd_t self:process signal_perms;
	86	allow ftpd_t self:process { getcap setcap setsched setrlimit };
c0868a7a	87	allow ftpd_t self:fifo_file rw_fifo_file_perms;
fc6524d7	88	allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
75fbbb0b	89	allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
fc6524d7 CP	90	allow ftpd_t self:tcp_socket create_stream_socket_perms;
	91	allow ftpd_t self:udp_socket create_socket_perms;
	92
c0868a7a	93	allow ftpd_t ftpd_etc_t:file read_file_perms;
fc6524d7	94
56e1b3d2 CP	95	allow ftpd_t ftpd_lock_t:file manage_file_perms;
	96	files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
	97
c0868a7a CP	98	manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
c0868a7a CP	99	manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
103fe280	100	files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
fc6524d7	101
c0868a7a CP	102	manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
	103	manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
	104	manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
	105	manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
	106	manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
103fe280	107	fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fc6524d7	108
c0868a7a CP	109	manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
c0868a7a CP	110	manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
1c1ac67f	111	files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
e6a2eaff	112
75fbbb0b CP	113	# proftpd requires the client side to bind a socket so that
	114	# it can stat the socket to perform access control decisions,
	115	# since getsockopt with SO_PEERCRED is not available on all
	116	# proftpd-supported OSs
	117	allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
	118
fc6524d7	119	# Create and modify /var/log/xferlog.
8cfa5a00	120	allow ftpd_t xferlog_t:dir search_dir_perms;
c0868a7a	121	allow ftpd_t xferlog_t:file manage_file_perms;
1c1ac67f	122	logging_log_filetrans(ftpd_t,xferlog_t,file)
fc6524d7	123
445522dc	124	kernel_read_kernel_sysctls(ftpd_t)
fc6524d7 CP	125	kernel_read_system_state(ftpd_t)
	126
	127	dev_read_sysfs(ftpd_t)
	128	dev_read_urand(ftpd_t)
	129
049e11af	130	corecmd_exec_bin(ftpd_t)
fc6524d7	131
19006686 CP	132	corenet_all_recvfrom_unlabeled(ftpd_t)
19006686 CP	133	corenet_all_recvfrom_netlabel(ftpd_t)
fc6524d7 CP	134	corenet_tcp_sendrecv_all_if(ftpd_t)
fc6524d7 CP	135	corenet_udp_sendrecv_all_if(ftpd_t)
fc6524d7 CP	136	corenet_tcp_sendrecv_all_nodes(ftpd_t)
fc6524d7 CP	137	corenet_udp_sendrecv_all_nodes(ftpd_t)
fc6524d7 CP	138	corenet_tcp_sendrecv_all_ports(ftpd_t)
	139	corenet_udp_sendrecv_all_ports(ftpd_t)
	140	corenet_tcp_bind_all_nodes(ftpd_t)
9a879bd7	141	corenet_tcp_bind_ftp_port(ftpd_t)
fc6524d7 CP	142	corenet_tcp_bind_ftp_data_port(ftpd_t)
fc6524d7 CP	143	corenet_tcp_bind_generic_port(ftpd_t)
6b19be33 CP	144	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
6b19be33 CP	145	corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
fc6524d7	146	corenet_tcp_connect_all_ports(ftpd_t)
9a879bd7	147	corenet_sendrecv_ftp_server_packets(ftpd_t)
fc6524d7	148
15722ec9	149	domain_use_interactive_fds(ftpd_t)
049e11af CP	150
	151	files_search_etc(ftpd_t)
	152	files_read_etc_files(ftpd_t)
	153	files_read_etc_runtime_files(ftpd_t)
9e04f5c5	154	files_search_var_lib(ftpd_t)
049e11af CP	155
	156	fs_search_auto_mountpoints(ftpd_t)
	157	fs_getattr_all_fs(ftpd_t)
	158
049e11af	159	auth_use_nsswitch(ftpd_t)
e6a2eaff	160	auth_domtrans_chk_passwd(ftpd_t)
fc6524d7 CP	161	# Append to /var/log/wtmp.
	162	auth_append_login_records(ftpd_t)
	163	#kerberized ftp requires the following
	164	auth_write_login_records(ftpd_t)
09c56f54	165	auth_rw_faillog(ftpd_t)
fc6524d7	166
d6d16b97	167	init_rw_utmp(ftpd_t)
fc6524d7 CP	168
	169	libs_use_ld_so(ftpd_t)
	170	libs_use_shared_libs(ftpd_t)
	171
	172	logging_send_syslog_msg(ftpd_t)
	173
	174	miscfiles_read_localization(ftpd_t)
	175	miscfiles_read_public_files(ftpd_t)
	176
	177	seutil_dontaudit_search_config(ftpd_t)
	178
	179	sysnet_read_config(ftpd_t)
85a0f967	180	sysnet_use_ldap(ftpd_t)
fc6524d7	181
103fe280	182	userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
15722ec9	183	userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
fc6524d7	184
fc6524d7 CP	185	tunable_policy(`allow_ftpd_anon_write',`
fc6524d7 CP	186	miscfiles_manage_public_files(ftpd_t)
522b59bb CP	187	')
	188
	189	tunable_policy(`allow_ftpd_use_cifs',`
	190	fs_read_cifs_files(ftpd_t)
	191	fs_read_cifs_symlinks(ftpd_t)
	192	')
	193
	194	tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
	195	fs_manage_cifs_files(ftpd_t)
	196	')
	197
	198	tunable_policy(`allow_ftpd_use_nfs',`
	199	fs_read_nfs_files(ftpd_t)
	200	fs_read_nfs_symlinks(ftpd_t)
	201	')
	202
	203	tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
	204	fs_manage_nfs_files(ftpd_t)
	205	')
fc6524d7	206
6b19be33 CP	207	tunable_policy(`allow_ftpd_full_access',`
	208	allow ftpd_t self:capability { dac_override dac_read_search };
	209	auth_manage_all_files_except_shadow(ftpd_t)
	210	')
	211
fc6524d7	212	tunable_policy(`ftp_home_dir',`
165b42d2 CP	213	allow ftpd_t self:capability { dac_override dac_read_search };
165b42d2 CP	214
fc6524d7	215	# allow access to /home
d8636fc9	216	files_list_home(ftpd_t)
103fe280 CP	217	userdom_read_all_users_home_content_files(ftpd_t)
	218	userdom_manage_all_users_home_content_dirs(ftpd_t)
	219	userdom_manage_all_users_home_content_files(ftpd_t)
	220	userdom_manage_all_users_home_content_symlinks(ftpd_t)
fc6524d7 CP	221	')
fc6524d7 CP	222
522b59bb CP	223	tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
	224	fs_manage_nfs_files(ftpd_t)
	225	fs_read_nfs_symlinks(ftpd_t)
	226	')
	227
	228	tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
	229	fs_manage_cifs_files(ftpd_t)
	230	fs_read_cifs_symlinks(ftpd_t)
	231	')
	232
46551033 CP	233	optional_policy(`
	234	tunable_policy(`ftp_home_dir',`
	235	apache_search_sys_content(ftpd_t)
	236	')
	237	')
	238
bb7170f6	239	optional_policy(`
fc6524d7 CP	240	corecmd_exec_shell(ftpd_t)
fc6524d7 CP	241
77f6e2cd	242	files_read_usr_files(ftpd_t)
fc6524d7 CP	243
	244	cron_system_entry(ftpd_t, ftpd_exec_t)
	245
bb7170f6	246	optional_policy(`
fc6524d7 CP	247	logrotate_exec(ftpd_t)
	248	')
	249	')
	250
bb7170f6	251	optional_policy(`
44d5d93f CP	252	daemontools_service_domain(ftpd_t, ftpd_exec_t)
	253	')
	254
09c56f54 CP	255	optional_policy(`
	256	kerberos_read_keytab(ftpd_t)
	257	')
	258
bb7170f6	259	optional_policy(`
73ef293b CP	260	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
73ef293b CP	261
bb7170f6	262	optional_policy(`
56e1b3d2	263	tcpd_domtrans(tcpd_t)
77f6e2cd	264	')
fc6524d7 CP	265	')
fc6524d7 CP	266
bb7170f6	267	optional_policy(`
fc6524d7 CP	268	seutil_sigchld_newrole(ftpd_t)
	269	')
	270
bb7170f6	271	optional_policy(`
fc6524d7 CP	272	udev_read_db(ftpd_t)
fc6524d7 CP	273	')
75fbbb0b CP	274
	275	########################################
	276	#
	277	# ftpdctl local policy
	278	#
	279
	280	# Allow ftpdctl to talk to ftpd over a socket connection
c0868a7a	281	stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t)
75fbbb0b CP	282
	283	# ftpdctl creates a socket so that the daemon can perform
	284	# access control decisions (see comments in ftpd_t rules above)
	285	allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
	286	files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
	287
	288	# Allow ftpdctl to read config files
	289	files_read_etc_files(ftpdctl_t)
	290
	291	libs_use_ld_so(ftpdctl_t)
	292	libs_use_shared_libs(ftpdctl_t)