]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(ftp, 1.12.0) |
fc6524d7 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
56e1b3d2 | 8 | ## <desc> |
f33c5066 DW |
9 | ## <p> |
10 | ## Allow ftp servers to upload files, used for public file | |
11 | ## transfer services. Directories must be labeled | |
12 | ## public_content_rw_t. | |
13 | ## </p> | |
56e1b3d2 | 14 | ## </desc> |
0bfccda4 | 15 | gen_tunable(allow_ftpd_anon_write, false) |
56e1b3d2 CP |
16 | |
17 | ## <desc> | |
f33c5066 DW |
18 | ## <p> |
19 | ## Allow ftp servers to login to local users and | |
20 | ## read/write all files on the system, governed by DAC. | |
21 | ## </p> | |
56e1b3d2 | 22 | ## </desc> |
0bfccda4 | 23 | gen_tunable(allow_ftpd_full_access, false) |
56e1b3d2 CP |
24 | |
25 | ## <desc> | |
f33c5066 DW |
26 | ## <p> |
27 | ## Allow ftp servers to use cifs | |
28 | ## used for public file transfer services. | |
29 | ## </p> | |
56e1b3d2 | 30 | ## </desc> |
0bfccda4 | 31 | gen_tunable(allow_ftpd_use_cifs, false) |
56e1b3d2 CP |
32 | |
33 | ## <desc> | |
f33c5066 DW |
34 | ## <p> |
35 | ## Allow ftp servers to use nfs | |
36 | ## used for public file transfer services. | |
37 | ## </p> | |
56e1b3d2 | 38 | ## </desc> |
0bfccda4 | 39 | gen_tunable(allow_ftpd_use_nfs, false) |
56e1b3d2 | 40 | |
3eaa9939 | 41 | ## <desc> |
f33c5066 DW |
42 | ## <p> |
43 | ## Allow ftp servers to use connect to mysql database | |
44 | ## </p> | |
3eaa9939 DW |
45 | ## </desc> |
46 | gen_tunable(ftpd_connect_db, false) | |
47 | ||
56e1b3d2 | 48 | ## <desc> |
f33c5066 DW |
49 | ## <p> |
50 | ## Allow ftp to read and write files in the user home directories | |
51 | ## </p> | |
56e1b3d2 | 52 | ## </desc> |
0bfccda4 | 53 | gen_tunable(ftp_home_dir, false) |
56e1b3d2 | 54 | |
a53c6c65 | 55 | ## <desc> |
f33c5066 DW |
56 | ## <p> |
57 | ## Allow anon internal-sftp to upload files, used for | |
58 | ## public file transfer services. Directories must be labeled | |
59 | ## public_content_rw_t. | |
60 | ## </p> | |
a53c6c65 CP |
61 | ## </desc> |
62 | gen_tunable(sftpd_anon_write, false) | |
63 | ||
64 | ## <desc> | |
f33c5066 DW |
65 | ## <p> |
66 | ## Allow sftp-internal to read and write files | |
67 | ## in the user home directories | |
68 | ## </p> | |
a53c6c65 CP |
69 | ## </desc> |
70 | gen_tunable(sftpd_enable_homedirs, false) | |
71 | ||
72 | ## <desc> | |
f33c5066 DW |
73 | ## <p> |
74 | ## Allow sftp-internal to login to local users and | |
75 | ## read/write all files on the system, governed by DAC. | |
76 | ## </p> | |
a53c6c65 CP |
77 | ## </desc> |
78 | gen_tunable(sftpd_full_access, false) | |
79 | ||
3eaa9939 | 80 | ## <desc> |
f33c5066 | 81 | ## <p> |
688db17c | 82 | ## Allow internal-sftp to read and write files |
f33c5066 DW |
83 | ## in the user ssh home directories. |
84 | ## </p> | |
3eaa9939 DW |
85 | ## </desc> |
86 | gen_tunable(sftpd_write_ssh_home, false) | |
87 | ||
a53c6c65 CP |
88 | type anon_sftpd_t; |
89 | typealias anon_sftpd_t alias sftpd_anon_t; | |
90 | domain_type(anon_sftpd_t) | |
91 | role system_r types anon_sftpd_t; | |
92 | ||
fc6524d7 CP |
93 | type ftpd_t; |
94 | type ftpd_exec_t; | |
0bfccda4 | 95 | init_daemon_domain(ftpd_t, ftpd_exec_t) |
fc6524d7 CP |
96 | |
97 | type ftpd_etc_t; | |
9bbc757a | 98 | files_config_file(ftpd_etc_t) |
fc6524d7 | 99 | |
967fd1ba CP |
100 | type ftpd_initrc_exec_t; |
101 | init_script_file(ftpd_initrc_exec_t) | |
102 | ||
5afe48a9 DW |
103 | type ftpd_unit_file_t; |
104 | systemd_unit_file(ftpd_unit_file_t) | |
105 | ||
fc6524d7 CP |
106 | type ftpd_lock_t; |
107 | files_lock_file(ftpd_lock_t) | |
108 | ||
109 | type ftpd_tmp_t; | |
110 | files_tmp_file(ftpd_tmp_t) | |
111 | ||
112 | type ftpd_tmpfs_t; | |
113 | files_tmpfs_file(ftpd_tmpfs_t) | |
114 | ||
115 | type ftpd_var_run_t; | |
116 | files_pid_file(ftpd_var_run_t) | |
117 | ||
75fbbb0b CP |
118 | type ftpdctl_t; |
119 | type ftpdctl_exec_t; | |
0bfccda4 | 120 | init_system_domain(ftpdctl_t, ftpdctl_exec_t) |
75fbbb0b CP |
121 | |
122 | type ftpdctl_tmp_t; | |
123 | files_tmp_file(ftpdctl_tmp_t) | |
124 | ||
a53c6c65 CP |
125 | type sftpd_t; |
126 | domain_type(sftpd_t) | |
127 | role system_r types sftpd_t; | |
128 | ||
fc6524d7 CP |
129 | type xferlog_t; |
130 | logging_log_file(xferlog_t) | |
131 | ||
a53c6c65 CP |
132 | ifdef(`enable_mcs',` |
133 | init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) | |
134 | ') | |
135 | ||
3eaa9939 DW |
136 | ifdef(`enable_mls',` |
137 | init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) | |
138 | ') | |
139 | ||
a53c6c65 CP |
140 | ######################################## |
141 | # | |
142 | # anon-sftp local policy | |
143 | # | |
144 | ||
145 | files_read_etc_files(anon_sftpd_t) | |
146 | ||
6e53156f | 147 | miscfiles_read_localization(anon_sftpd_t) |
a53c6c65 CP |
148 | miscfiles_read_public_files(anon_sftpd_t) |
149 | ||
150 | tunable_policy(`sftpd_anon_write',` | |
151 | miscfiles_manage_public_files(anon_sftpd_t) | |
152 | ') | |
153 | ||
fc6524d7 CP |
154 | ######################################## |
155 | # | |
75fbbb0b | 156 | # ftpd local policy |
fc6524d7 CP |
157 | # |
158 | ||
e53e240f | 159 | allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource }; |
fc6524d7 | 160 | dontaudit ftpd_t self:capability sys_tty_config; |
a53c6c65 | 161 | allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; |
c0868a7a | 162 | allow ftpd_t self:fifo_file rw_fifo_file_perms; |
fc6524d7 | 163 | allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; |
75fbbb0b | 164 | allow ftpd_t self:unix_stream_socket create_stream_socket_perms; |
fc6524d7 CP |
165 | allow ftpd_t self:tcp_socket create_stream_socket_perms; |
166 | allow ftpd_t self:udp_socket create_socket_perms; | |
a53c6c65 CP |
167 | allow ftpd_t self:shm create_shm_perms; |
168 | allow ftpd_t self:key manage_key_perms; | |
fc6524d7 | 169 | |
c0868a7a | 170 | allow ftpd_t ftpd_etc_t:file read_file_perms; |
fc6524d7 | 171 | |
56e1b3d2 | 172 | allow ftpd_t ftpd_lock_t:file manage_file_perms; |
0bfccda4 | 173 | files_lock_filetrans(ftpd_t, ftpd_lock_t, file) |
56e1b3d2 | 174 | |
0bfccda4 CP |
175 | manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) |
176 | manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) | |
fc6524d7 | 177 | |
0bfccda4 CP |
178 | manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) |
179 | manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
180 | manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
181 | manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
182 | manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) | |
183 | fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
fc6524d7 | 184 | |
967fd1ba | 185 | manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) |
0bfccda4 CP |
186 | manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) |
187 | manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) | |
68ac47d8 | 188 | files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) |
e6a2eaff | 189 | |
75fbbb0b CP |
190 | # proftpd requires the client side to bind a socket so that |
191 | # it can stat the socket to perform access control decisions, | |
192 | # since getsockopt with SO_PEERCRED is not available on all | |
193 | # proftpd-supported OSs | |
1dfc76f7 | 194 | allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; |
75fbbb0b | 195 | |
fc6524d7 | 196 | # Create and modify /var/log/xferlog. |
a53c6c65 | 197 | manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) |
0bfccda4 | 198 | logging_log_filetrans(ftpd_t, xferlog_t, file) |
fc6524d7 | 199 | |
445522dc | 200 | kernel_read_kernel_sysctls(ftpd_t) |
fc6524d7 | 201 | kernel_read_system_state(ftpd_t) |
967fd1ba | 202 | kernel_search_network_state(ftpd_t) |
fc6524d7 CP |
203 | |
204 | dev_read_sysfs(ftpd_t) | |
205 | dev_read_urand(ftpd_t) | |
206 | ||
049e11af | 207 | corecmd_exec_bin(ftpd_t) |
fc6524d7 | 208 | |
19006686 CP |
209 | corenet_all_recvfrom_unlabeled(ftpd_t) |
210 | corenet_all_recvfrom_netlabel(ftpd_t) | |
668b3093 CP |
211 | corenet_tcp_sendrecv_generic_if(ftpd_t) |
212 | corenet_udp_sendrecv_generic_if(ftpd_t) | |
c1262146 CP |
213 | corenet_tcp_sendrecv_generic_node(ftpd_t) |
214 | corenet_udp_sendrecv_generic_node(ftpd_t) | |
fc6524d7 CP |
215 | corenet_tcp_sendrecv_all_ports(ftpd_t) |
216 | corenet_udp_sendrecv_all_ports(ftpd_t) | |
c1262146 | 217 | corenet_tcp_bind_generic_node(ftpd_t) |
9a879bd7 | 218 | corenet_tcp_bind_ftp_port(ftpd_t) |
fc6524d7 CP |
219 | corenet_tcp_bind_ftp_data_port(ftpd_t) |
220 | corenet_tcp_bind_generic_port(ftpd_t) | |
a4787777 DW |
221 | corenet_tcp_bind_all_ephemeral_ports(ftpd_t) |
222 | corenet_tcp_connect_all_ephemeral_ports(ftpd_t) | |
9a879bd7 | 223 | corenet_sendrecv_ftp_server_packets(ftpd_t) |
fc6524d7 | 224 | |
15722ec9 | 225 | domain_use_interactive_fds(ftpd_t) |
049e11af CP |
226 | |
227 | files_search_etc(ftpd_t) | |
228 | files_read_etc_files(ftpd_t) | |
229 | files_read_etc_runtime_files(ftpd_t) | |
9e04f5c5 | 230 | files_search_var_lib(ftpd_t) |
049e11af CP |
231 | |
232 | fs_search_auto_mountpoints(ftpd_t) | |
233 | fs_getattr_all_fs(ftpd_t) | |
a53c6c65 | 234 | fs_search_fusefs(ftpd_t) |
049e11af | 235 | |
30467adf | 236 | auth_use_pam(ftpd_t) |
fc6524d7 CP |
237 | #kerberized ftp requires the following |
238 | auth_write_login_records(ftpd_t) | |
09c56f54 | 239 | auth_rw_faillog(ftpd_t) |
67f46f2d | 240 | auth_manage_var_auth(ftpd_t) |
fc6524d7 | 241 | |
d6d16b97 | 242 | init_rw_utmp(ftpd_t) |
fc6524d7 | 243 | |
967fd1ba | 244 | logging_send_audit_msgs(ftpd_t) |
fc6524d7 | 245 | logging_send_syslog_msg(ftpd_t) |
967fd1ba | 246 | logging_set_loginuid(ftpd_t) |
fc6524d7 CP |
247 | |
248 | miscfiles_read_localization(ftpd_t) | |
249 | miscfiles_read_public_files(ftpd_t) | |
250 | ||
251 | seutil_dontaudit_search_config(ftpd_t) | |
252 | ||
253 | sysnet_read_config(ftpd_t) | |
85a0f967 | 254 | sysnet_use_ldap(ftpd_t) |
fc6524d7 | 255 | |
15722ec9 | 256 | userdom_dontaudit_use_unpriv_user_fds(ftpd_t) |
296273a7 | 257 | userdom_dontaudit_search_user_home_dirs(ftpd_t) |
e9c6cda7 | 258 | |
fc6524d7 CP |
259 | tunable_policy(`allow_ftpd_anon_write',` |
260 | miscfiles_manage_public_files(ftpd_t) | |
522b59bb CP |
261 | ') |
262 | ||
263 | tunable_policy(`allow_ftpd_use_cifs',` | |
264 | fs_read_cifs_files(ftpd_t) | |
265 | fs_read_cifs_symlinks(ftpd_t) | |
266 | ') | |
267 | ||
268 | tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` | |
269 | fs_manage_cifs_files(ftpd_t) | |
270 | ') | |
271 | ||
272 | tunable_policy(`allow_ftpd_use_nfs',` | |
273 | fs_read_nfs_files(ftpd_t) | |
274 | fs_read_nfs_symlinks(ftpd_t) | |
275 | ') | |
276 | ||
277 | tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` | |
278 | fs_manage_nfs_files(ftpd_t) | |
279 | ') | |
fc6524d7 | 280 | |
6b19be33 CP |
281 | tunable_policy(`allow_ftpd_full_access',` |
282 | allow ftpd_t self:capability { dac_override dac_read_search }; | |
d500db40 | 283 | files_manage_non_security_files(ftpd_t) |
6b19be33 CP |
284 | ') |
285 | ||
fc6524d7 | 286 | tunable_policy(`ftp_home_dir',` |
165b42d2 CP |
287 | allow ftpd_t self:capability { dac_override dac_read_search }; |
288 | ||
fc6524d7 | 289 | # allow access to /home |
d8636fc9 | 290 | files_list_home(ftpd_t) |
296273a7 | 291 | userdom_read_user_home_content_files(ftpd_t) |
3eaa9939 DW |
292 | userdom_manage_user_home_content(ftpd_t) |
293 | userdom_manage_user_tmp_files(ftpd_t) | |
294 | userdom_tmp_filetrans_user_tmp(ftpd_t, file) | |
68ac47d8 DG |
295 | ',` |
296 | # Needed for permissive mode, to make sure everything gets labeled correctly | |
297 | userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) | |
298 | files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) | |
fc6524d7 CP |
299 | ') |
300 | ||
522b59bb CP |
301 | tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` |
302 | fs_manage_nfs_files(ftpd_t) | |
303 | fs_read_nfs_symlinks(ftpd_t) | |
304 | ') | |
305 | ||
306 | tunable_policy(`ftp_home_dir && use_samba_home_dirs',` | |
307 | fs_manage_cifs_files(ftpd_t) | |
308 | fs_read_cifs_symlinks(ftpd_t) | |
309 | ') | |
310 | ||
46551033 CP |
311 | optional_policy(` |
312 | tunable_policy(`ftp_home_dir',` | |
313 | apache_search_sys_content(ftpd_t) | |
314 | ') | |
315 | ') | |
316 | ||
bb7170f6 | 317 | optional_policy(` |
fc6524d7 CP |
318 | corecmd_exec_shell(ftpd_t) |
319 | ||
77f6e2cd | 320 | files_read_usr_files(ftpd_t) |
fc6524d7 | 321 | |
3f67f722 | 322 | cron_system_entry(ftpd_t, ftpd_exec_t) |
fc6524d7 | 323 | |
bb7170f6 | 324 | optional_policy(` |
fc6524d7 CP |
325 | logrotate_exec(ftpd_t) |
326 | ') | |
327 | ') | |
328 | ||
bb7170f6 | 329 | optional_policy(` |
44d5d93f CP |
330 | daemontools_service_domain(ftpd_t, ftpd_exec_t) |
331 | ') | |
332 | ||
3d1650bf DG |
333 | optional_policy(` |
334 | fail2ban_read_lib_files(ftpd_t) | |
335 | ') | |
336 | ||
09c56f54 | 337 | optional_policy(` |
a53c6c65 CP |
338 | selinux_validate_context(ftpd_t) |
339 | ||
340 | kerberos_keytab_template(ftpd, ftpd_t) | |
341 | kerberos_manage_host_rcache(ftpd_t) | |
09c56f54 CP |
342 | ') |
343 | ||
3eaa9939 DW |
344 | optional_policy(` |
345 | tunable_policy(`ftpd_connect_db',` | |
346 | mysql_stream_connect(ftpd_t) | |
347 | ') | |
348 | ') | |
349 | ||
350 | optional_policy(` | |
351 | tunable_policy(`ftpd_connect_db',` | |
352 | postgresql_stream_connect(ftpd_t) | |
353 | ') | |
354 | ') | |
355 | ||
01ada3cd MG |
356 | optional_policy(` |
357 | tunable_policy(`ftpd_connect_db',` | |
358 | mysql_tcp_connect(ftpd_t) | |
359 | postgresql_tcp_connect(ftpd_t) | |
360 | ') | |
3eaa9939 DW |
361 | ') |
362 | ||
bb7170f6 | 363 | optional_policy(` |
0bfccda4 | 364 | inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) |
73ef293b | 365 | |
bb7170f6 | 366 | optional_policy(` |
56e1b3d2 | 367 | tcpd_domtrans(tcpd_t) |
77f6e2cd | 368 | ') |
fc6524d7 CP |
369 | ') |
370 | ||
a53c6c65 CP |
371 | optional_policy(` |
372 | dbus_system_bus_client(ftpd_t) | |
373 | ||
374 | optional_policy(` | |
375 | oddjob_dbus_chat(ftpd_t) | |
376 | oddjob_domtrans_mkhomedir(ftpd_t) | |
377 | ') | |
378 | ') | |
379 | ||
bb7170f6 | 380 | optional_policy(` |
fc6524d7 CP |
381 | seutil_sigchld_newrole(ftpd_t) |
382 | ') | |
383 | ||
bb7170f6 | 384 | optional_policy(` |
fc6524d7 CP |
385 | udev_read_db(ftpd_t) |
386 | ') | |
75fbbb0b CP |
387 | |
388 | ######################################## | |
389 | # | |
390 | # ftpdctl local policy | |
391 | # | |
392 | ||
393 | # Allow ftpdctl to talk to ftpd over a socket connection | |
0bfccda4 | 394 | stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) |
08c4bb08 | 395 | files_search_pids(ftpdctl_t) |
75fbbb0b CP |
396 | |
397 | # ftpdctl creates a socket so that the daemon can perform | |
398 | # access control decisions (see comments in ftpd_t rules above) | |
1dfc76f7 | 399 | allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; |
75fbbb0b CP |
400 | files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) |
401 | ||
402 | # Allow ftpdctl to read config files | |
403 | files_read_etc_files(ftpdctl_t) | |
296273a7 | 404 | |
af2d8802 | 405 | userdom_use_inherited_user_terminals(ftpdctl_t) |
a53c6c65 CP |
406 | |
407 | ######################################## | |
408 | # | |
409 | # sftpd local policy | |
410 | # | |
68ac47d8 | 411 | |
a53c6c65 CP |
412 | files_read_etc_files(sftpd_t) |
413 | ||
6e53156f DW |
414 | miscfiles_read_localization(sftpd_t) |
415 | ||
a53c6c65 CP |
416 | # allow read access to /home by default |
417 | userdom_read_user_home_content_files(sftpd_t) | |
418 | userdom_read_user_home_content_symlinks(sftpd_t) | |
3eaa9939 DW |
419 | userdom_dontaudit_list_admin_dir(sftpd_t) |
420 | ||
421 | tunable_policy(`sftpd_full_access',` | |
68ac47d8 DG |
422 | allow sftpd_t self:capability { dac_override dac_read_search }; |
423 | fs_read_noxattr_fs_files(sftpd_t) | |
d500db40 | 424 | files_manage_non_security_files(sftpd_t) |
3eaa9939 DW |
425 | ') |
426 | ||
427 | tunable_policy(`sftpd_write_ssh_home',` | |
68ac47d8 | 428 | ssh_manage_home_files(sftpd_t) |
3eaa9939 | 429 | ') |
a53c6c65 CP |
430 | |
431 | tunable_policy(`sftpd_enable_homedirs',` | |
432 | allow sftpd_t self:capability { dac_override dac_read_search }; | |
433 | ||
434 | # allow access to /home | |
435 | files_list_home(sftpd_t) | |
3eaa9939 DW |
436 | userdom_read_user_home_content_files(sftpd_t) |
437 | userdom_manage_user_home_content(sftpd_t) | |
68ac47d8 DG |
438 | ',` |
439 | # Needed for permissive mode, to make sure everything gets labeled correctly | |
440 | userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) | |
a53c6c65 CP |
441 | ') |
442 | ||
443 | tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` | |
444 | fs_manage_nfs_dirs(sftpd_t) | |
445 | fs_manage_nfs_files(sftpd_t) | |
446 | fs_manage_nfs_symlinks(sftpd_t) | |
447 | ') | |
448 | ||
449 | tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` | |
450 | fs_manage_cifs_dirs(sftpd_t) | |
451 | fs_manage_cifs_files(sftpd_t) | |
452 | fs_manage_cifs_symlinks(sftpd_t) | |
453 | ') | |
454 | ||
455 | tunable_policy(`sftpd_full_access',` | |
456 | allow sftpd_t self:capability { dac_override dac_read_search }; | |
457 | fs_read_noxattr_fs_files(sftpd_t) | |
d500db40 | 458 | files_manage_non_security_files(sftpd_t) |
a53c6c65 CP |
459 | ') |
460 | ||
ed2ac112 | 461 | userdom_home_reader(sftpd_t) |