[people/stevee/selinux-policy.git] / policy / modules / services / ftp.te

policy_module(ftp, 1.12.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow ftp servers to upload files,  used for public file
## transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write, false)

## <desc>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access, false)

## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)

## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)

## <desc>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)

## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir, false)

## <desc>
## <p>
## Allow anon internal-sftp to upload files, used for
## public file transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)

## <desc>
## <p>
## Allow sftp-internal to read and write files
## in the user home directories
## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)

## <desc>
## <p>
## Allow sftp-internal to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(sftpd_full_access, false)

## <desc>
## <p>
## Allow internal-sftp to read and write files 
## in the user ssh home directories.
## </p>
## </desc>
gen_tunable(sftpd_write_ssh_home, false)

type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
role system_r types anon_sftpd_t;

type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t, ftpd_exec_t)

type ftpd_etc_t;
files_config_file(ftpd_etc_t)

type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)

type ftpd_unit_file_t;
systemd_unit_file(ftpd_unit_file_t)

type ftpd_lock_t;
files_lock_file(ftpd_lock_t)

type ftpd_tmp_t;
files_tmp_file(ftpd_tmp_t)

type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)

type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)

type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t, ftpdctl_exec_t)

type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)

type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;

type xferlog_t;
logging_log_file(xferlog_t)

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
')

########################################
#
# anon-sftp local policy
#

files_read_etc_files(anon_sftpd_t)

miscfiles_read_localization(anon_sftpd_t)
miscfiles_read_public_files(anon_sftpd_t)

tunable_policy(`sftpd_anon_write',`
	miscfiles_manage_public_files(anon_sftpd_t)
')

########################################
#
# ftpd local policy
#

allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;

allow ftpd_t ftpd_etc_t:file read_file_perms;

allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)

manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)

manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })

# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;

# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)

kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
kernel_search_network_state(ftpd_t)

dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)

corecmd_exec_bin(ftpd_t)

corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
corenet_tcp_sendrecv_generic_node(ftpd_t)
corenet_udp_sendrecv_generic_node(ftpd_t)
corenet_tcp_sendrecv_all_ports(ftpd_t)
corenet_udp_sendrecv_all_ports(ftpd_t)
corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)

domain_use_interactive_fds(ftpd_t)

files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)

fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)

auth_use_pam(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
auth_manage_var_auth(ftpd_t)

init_rw_utmp(ftpd_t)

logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)

miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)

seutil_dontaudit_search_config(ftpd_t)

sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)

userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)

tunable_policy(`allow_ftpd_anon_write',`
	miscfiles_manage_public_files(ftpd_t)
')

tunable_policy(`allow_ftpd_use_cifs',`
	fs_read_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
	fs_manage_cifs_files(ftpd_t)
')

tunable_policy(`allow_ftpd_use_nfs',`
	fs_read_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
	fs_manage_nfs_files(ftpd_t)
')

tunable_policy(`allow_ftpd_full_access',`
	allow ftpd_t self:capability { dac_override dac_read_search };
	files_manage_non_security_files(ftpd_t)
')

tunable_policy(`ftp_home_dir',`
	allow ftpd_t self:capability { dac_override dac_read_search };

	# allow access to /home
	files_list_home(ftpd_t)
	userdom_read_user_home_content_files(ftpd_t)
	userdom_manage_user_home_content(ftpd_t)
	userdom_manage_user_tmp_files(ftpd_t)
	userdom_tmp_filetrans_user_tmp(ftpd_t, file)
',`
	# Needed for permissive mode, to make sure everything gets labeled correctly
	userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
	files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
')

tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
	fs_manage_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
	fs_manage_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

optional_policy(`
	tunable_policy(`ftp_home_dir',`
		apache_search_sys_content(ftpd_t)
	')
')

optional_policy(`
	corecmd_exec_shell(ftpd_t)

	files_read_usr_files(ftpd_t)

	cron_system_entry(ftpd_t, ftpd_exec_t)

	optional_policy(`
		logrotate_exec(ftpd_t)
	')
')

optional_policy(`
	daemontools_service_domain(ftpd_t, ftpd_exec_t)
')

optional_policy(`
	fail2ban_read_lib_files(ftpd_t)
')

optional_policy(`
	selinux_validate_context(ftpd_t)

	kerberos_keytab_template(ftpd, ftpd_t)
	kerberos_manage_host_rcache(ftpd_t)
')

optional_policy(`
	tunable_policy(`ftpd_connect_db',`
		mysql_stream_connect(ftpd_t)
	')
')

optional_policy(`
	tunable_policy(`ftpd_connect_db',`
		postgresql_stream_connect(ftpd_t)
	')
')

optional_policy(`
	tunable_policy(`ftpd_connect_db',`
		mysql_tcp_connect(ftpd_t)
		postgresql_tcp_connect(ftpd_t)
	')
')

optional_policy(`
	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)

	optional_policy(`
		tcpd_domtrans(tcpd_t)
	')
')

optional_policy(`
	dbus_system_bus_client(ftpd_t)

	optional_policy(`
		oddjob_dbus_chat(ftpd_t)
		oddjob_domtrans_mkhomedir(ftpd_t)
	')
')

optional_policy(`
	seutil_sigchld_newrole(ftpd_t)
')

optional_policy(`
	udev_read_db(ftpd_t)
')

########################################
#
# ftpdctl local policy
#

# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
files_search_pids(ftpdctl_t)

# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)

# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)

userdom_use_inherited_user_terminals(ftpdctl_t)

########################################
#
# sftpd local policy
#

files_read_etc_files(sftpd_t)

miscfiles_read_localization(sftpd_t)

# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
userdom_dontaudit_list_admin_dir(sftpd_t)

tunable_policy(`sftpd_full_access',`
	allow sftpd_t self:capability { dac_override dac_read_search };
	fs_read_noxattr_fs_files(sftpd_t)
	files_manage_non_security_files(sftpd_t)
')

tunable_policy(`sftpd_write_ssh_home',`
	ssh_manage_home_files(sftpd_t)
')

tunable_policy(`sftpd_enable_homedirs',`
	allow sftpd_t self:capability { dac_override dac_read_search };

	# allow access to /home
	files_list_home(sftpd_t)
	userdom_read_user_home_content_files(sftpd_t)
	userdom_manage_user_home_content(sftpd_t)
',`
	# Needed for permissive mode, to make sure everything gets labeled correctly
	userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
')

tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
	fs_manage_nfs_dirs(sftpd_t)
	fs_manage_nfs_files(sftpd_t)
	fs_manage_nfs_symlinks(sftpd_t)
')

tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
	fs_manage_cifs_dirs(sftpd_t)
	fs_manage_cifs_files(sftpd_t)
	fs_manage_cifs_symlinks(sftpd_t)
')

tunable_policy(`sftpd_full_access',`
	allow sftpd_t self:capability { dac_override dac_read_search };
	fs_read_noxattr_fs_files(sftpd_t)
	files_manage_non_security_files(sftpd_t)
')

userdom_home_reader(sftpd_t)
Commit	Line	Data
29af4c13	1	policy_module(ftp, 1.12.0)
fc6524d7 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
56e1b3d2	8	## <desc>
f33c5066 DW	9	## <p>
	10	## Allow ftp servers to upload files, used for public file
	11	## transfer services. Directories must be labeled
	12	## public_content_rw_t.
	13	## </p>
56e1b3d2	14	## </desc>
0bfccda4	15	gen_tunable(allow_ftpd_anon_write, false)
56e1b3d2 CP	16
56e1b3d2 CP	17	## <desc>
f33c5066 DW	18	## <p>
	19	## Allow ftp servers to login to local users and
	20	## read/write all files on the system, governed by DAC.
	21	## </p>
56e1b3d2	22	## </desc>
0bfccda4	23	gen_tunable(allow_ftpd_full_access, false)
56e1b3d2 CP	24
56e1b3d2 CP	25	## <desc>
f33c5066 DW	26	## <p>
	27	## Allow ftp servers to use cifs
	28	## used for public file transfer services.
	29	## </p>
56e1b3d2	30	## </desc>
0bfccda4	31	gen_tunable(allow_ftpd_use_cifs, false)
56e1b3d2 CP	32
56e1b3d2 CP	33	## <desc>
f33c5066 DW	34	## <p>
	35	## Allow ftp servers to use nfs
	36	## used for public file transfer services.
	37	## </p>
56e1b3d2	38	## </desc>
0bfccda4	39	gen_tunable(allow_ftpd_use_nfs, false)
56e1b3d2	40
3eaa9939	41	## <desc>
f33c5066 DW	42	## <p>
	43	## Allow ftp servers to use connect to mysql database
	44	## </p>
3eaa9939 DW	45	## </desc>
	46	gen_tunable(ftpd_connect_db, false)
	47
56e1b3d2	48	## <desc>
f33c5066 DW	49	## <p>
	50	## Allow ftp to read and write files in the user home directories
	51	## </p>
56e1b3d2	52	## </desc>
0bfccda4	53	gen_tunable(ftp_home_dir, false)
56e1b3d2	54
a53c6c65	55	## <desc>
f33c5066 DW	56	## <p>
	57	## Allow anon internal-sftp to upload files, used for
	58	## public file transfer services. Directories must be labeled
	59	## public_content_rw_t.
	60	## </p>
a53c6c65 CP	61	## </desc>
	62	gen_tunable(sftpd_anon_write, false)
	63
	64	## <desc>
f33c5066 DW	65	## <p>
	66	## Allow sftp-internal to read and write files
	67	## in the user home directories
	68	## </p>
a53c6c65 CP	69	## </desc>
	70	gen_tunable(sftpd_enable_homedirs, false)
	71
	72	## <desc>
f33c5066 DW	73	## <p>
	74	## Allow sftp-internal to login to local users and
	75	## read/write all files on the system, governed by DAC.
	76	## </p>
a53c6c65 CP	77	## </desc>
	78	gen_tunable(sftpd_full_access, false)
	79
3eaa9939	80	## <desc>
f33c5066	81	## <p>
688db17c	82	## Allow internal-sftp to read and write files
f33c5066 DW	83	## in the user ssh home directories.
f33c5066 DW	84	## </p>
3eaa9939 DW	85	## </desc>
	86	gen_tunable(sftpd_write_ssh_home, false)
	87
a53c6c65 CP	88	type anon_sftpd_t;
	89	typealias anon_sftpd_t alias sftpd_anon_t;
	90	domain_type(anon_sftpd_t)
	91	role system_r types anon_sftpd_t;
	92
fc6524d7 CP	93	type ftpd_t;
fc6524d7 CP	94	type ftpd_exec_t;
0bfccda4	95	init_daemon_domain(ftpd_t, ftpd_exec_t)
fc6524d7 CP	96
fc6524d7 CP	97	type ftpd_etc_t;
9bbc757a	98	files_config_file(ftpd_etc_t)
fc6524d7	99
967fd1ba CP	100	type ftpd_initrc_exec_t;
	101	init_script_file(ftpd_initrc_exec_t)
	102
5afe48a9 DW	103	type ftpd_unit_file_t;
	104	systemd_unit_file(ftpd_unit_file_t)
	105
fc6524d7 CP	106	type ftpd_lock_t;
	107	files_lock_file(ftpd_lock_t)
	108
	109	type ftpd_tmp_t;
	110	files_tmp_file(ftpd_tmp_t)
	111
	112	type ftpd_tmpfs_t;
	113	files_tmpfs_file(ftpd_tmpfs_t)
	114
	115	type ftpd_var_run_t;
	116	files_pid_file(ftpd_var_run_t)
	117
75fbbb0b CP	118	type ftpdctl_t;
75fbbb0b CP	119	type ftpdctl_exec_t;
0bfccda4	120	init_system_domain(ftpdctl_t, ftpdctl_exec_t)
75fbbb0b CP	121
	122	type ftpdctl_tmp_t;
	123	files_tmp_file(ftpdctl_tmp_t)
	124
a53c6c65 CP	125	type sftpd_t;
	126	domain_type(sftpd_t)
	127	role system_r types sftpd_t;
	128
fc6524d7 CP	129	type xferlog_t;
	130	logging_log_file(xferlog_t)
	131
a53c6c65 CP	132	ifdef(`enable_mcs',`
	133	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
	134	')
	135
3eaa9939 DW	136	ifdef(`enable_mls',`
	137	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
	138	')
	139
a53c6c65 CP	140	########################################
	141	#
	142	# anon-sftp local policy
	143	#
	144
	145	files_read_etc_files(anon_sftpd_t)
	146
6e53156f	147	miscfiles_read_localization(anon_sftpd_t)
a53c6c65 CP	148	miscfiles_read_public_files(anon_sftpd_t)
	149
	150	tunable_policy(`sftpd_anon_write',`
	151	miscfiles_manage_public_files(anon_sftpd_t)
	152	')
	153
fc6524d7 CP	154	########################################
fc6524d7 CP	155	#
75fbbb0b	156	# ftpd local policy
fc6524d7 CP	157	#
fc6524d7 CP	158
e53e240f	159	allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
fc6524d7	160	dontaudit ftpd_t self:capability sys_tty_config;
a53c6c65	161	allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
c0868a7a	162	allow ftpd_t self:fifo_file rw_fifo_file_perms;
fc6524d7	163	allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
75fbbb0b	164	allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
fc6524d7 CP	165	allow ftpd_t self:tcp_socket create_stream_socket_perms;
fc6524d7 CP	166	allow ftpd_t self:udp_socket create_socket_perms;
a53c6c65 CP	167	allow ftpd_t self:shm create_shm_perms;
a53c6c65 CP	168	allow ftpd_t self:key manage_key_perms;
fc6524d7	169
c0868a7a	170	allow ftpd_t ftpd_etc_t:file read_file_perms;
fc6524d7	171
56e1b3d2	172	allow ftpd_t ftpd_lock_t:file manage_file_perms;
0bfccda4	173	files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
56e1b3d2	174
0bfccda4 CP	175	manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
0bfccda4 CP	176	manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
fc6524d7	177
0bfccda4 CP	178	manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	179	manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	180	manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	181	manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	182	manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
	183	fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
fc6524d7	184
967fd1ba	185	manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
0bfccda4 CP	186	manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
0bfccda4 CP	187	manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
68ac47d8	188	files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
e6a2eaff	189
75fbbb0b CP	190	# proftpd requires the client side to bind a socket so that
	191	# it can stat the socket to perform access control decisions,
	192	# since getsockopt with SO_PEERCRED is not available on all
	193	# proftpd-supported OSs
1dfc76f7	194	allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
75fbbb0b	195
fc6524d7	196	# Create and modify /var/log/xferlog.
a53c6c65	197	manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
0bfccda4	198	logging_log_filetrans(ftpd_t, xferlog_t, file)
fc6524d7	199
445522dc	200	kernel_read_kernel_sysctls(ftpd_t)
fc6524d7	201	kernel_read_system_state(ftpd_t)
967fd1ba	202	kernel_search_network_state(ftpd_t)
fc6524d7 CP	203
	204	dev_read_sysfs(ftpd_t)
	205	dev_read_urand(ftpd_t)
	206
049e11af	207	corecmd_exec_bin(ftpd_t)
fc6524d7	208
19006686 CP	209	corenet_all_recvfrom_unlabeled(ftpd_t)
19006686 CP	210	corenet_all_recvfrom_netlabel(ftpd_t)
668b3093 CP	211	corenet_tcp_sendrecv_generic_if(ftpd_t)
668b3093 CP	212	corenet_udp_sendrecv_generic_if(ftpd_t)
c1262146 CP	213	corenet_tcp_sendrecv_generic_node(ftpd_t)
c1262146 CP	214	corenet_udp_sendrecv_generic_node(ftpd_t)
fc6524d7 CP	215	corenet_tcp_sendrecv_all_ports(ftpd_t)
fc6524d7 CP	216	corenet_udp_sendrecv_all_ports(ftpd_t)
c1262146	217	corenet_tcp_bind_generic_node(ftpd_t)
9a879bd7	218	corenet_tcp_bind_ftp_port(ftpd_t)
fc6524d7 CP	219	corenet_tcp_bind_ftp_data_port(ftpd_t)
fc6524d7 CP	220	corenet_tcp_bind_generic_port(ftpd_t)
a4787777 DW	221	corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
a4787777 DW	222	corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
9a879bd7	223	corenet_sendrecv_ftp_server_packets(ftpd_t)
fc6524d7	224
15722ec9	225	domain_use_interactive_fds(ftpd_t)
049e11af CP	226
	227	files_search_etc(ftpd_t)
	228	files_read_etc_files(ftpd_t)
	229	files_read_etc_runtime_files(ftpd_t)
9e04f5c5	230	files_search_var_lib(ftpd_t)
049e11af CP	231
	232	fs_search_auto_mountpoints(ftpd_t)
	233	fs_getattr_all_fs(ftpd_t)
a53c6c65	234	fs_search_fusefs(ftpd_t)
049e11af	235
30467adf	236	auth_use_pam(ftpd_t)
fc6524d7 CP	237	#kerberized ftp requires the following
fc6524d7 CP	238	auth_write_login_records(ftpd_t)
09c56f54	239	auth_rw_faillog(ftpd_t)
67f46f2d	240	auth_manage_var_auth(ftpd_t)
fc6524d7	241
d6d16b97	242	init_rw_utmp(ftpd_t)
fc6524d7	243
967fd1ba	244	logging_send_audit_msgs(ftpd_t)
fc6524d7	245	logging_send_syslog_msg(ftpd_t)
967fd1ba	246	logging_set_loginuid(ftpd_t)
fc6524d7 CP	247
	248	miscfiles_read_localization(ftpd_t)
	249	miscfiles_read_public_files(ftpd_t)
	250
	251	seutil_dontaudit_search_config(ftpd_t)
	252
	253	sysnet_read_config(ftpd_t)
85a0f967	254	sysnet_use_ldap(ftpd_t)
fc6524d7	255
15722ec9	256	userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
296273a7	257	userdom_dontaudit_search_user_home_dirs(ftpd_t)
e9c6cda7	258
fc6524d7 CP	259	tunable_policy(`allow_ftpd_anon_write',`
fc6524d7 CP	260	miscfiles_manage_public_files(ftpd_t)
522b59bb CP	261	')
	262
	263	tunable_policy(`allow_ftpd_use_cifs',`
	264	fs_read_cifs_files(ftpd_t)
	265	fs_read_cifs_symlinks(ftpd_t)
	266	')
	267
	268	tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
	269	fs_manage_cifs_files(ftpd_t)
	270	')
	271
	272	tunable_policy(`allow_ftpd_use_nfs',`
	273	fs_read_nfs_files(ftpd_t)
	274	fs_read_nfs_symlinks(ftpd_t)
	275	')
	276
	277	tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
	278	fs_manage_nfs_files(ftpd_t)
	279	')
fc6524d7	280
6b19be33 CP	281	tunable_policy(`allow_ftpd_full_access',`
6b19be33 CP	282	allow ftpd_t self:capability { dac_override dac_read_search };
d500db40	283	files_manage_non_security_files(ftpd_t)
6b19be33 CP	284	')
6b19be33 CP	285
fc6524d7	286	tunable_policy(`ftp_home_dir',`
165b42d2 CP	287	allow ftpd_t self:capability { dac_override dac_read_search };
165b42d2 CP	288
fc6524d7	289	# allow access to /home
d8636fc9	290	files_list_home(ftpd_t)
296273a7	291	userdom_read_user_home_content_files(ftpd_t)
3eaa9939 DW	292	userdom_manage_user_home_content(ftpd_t)
	293	userdom_manage_user_tmp_files(ftpd_t)
	294	userdom_tmp_filetrans_user_tmp(ftpd_t, file)
68ac47d8 DG	295	',`
	296	# Needed for permissive mode, to make sure everything gets labeled correctly
	297	userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
	298	files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
fc6524d7 CP	299	')
fc6524d7 CP	300
522b59bb CP	301	tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
	302	fs_manage_nfs_files(ftpd_t)
	303	fs_read_nfs_symlinks(ftpd_t)
	304	')
	305
	306	tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
	307	fs_manage_cifs_files(ftpd_t)
	308	fs_read_cifs_symlinks(ftpd_t)
	309	')
	310
46551033 CP	311	optional_policy(`
	312	tunable_policy(`ftp_home_dir',`
	313	apache_search_sys_content(ftpd_t)
	314	')
	315	')
	316
bb7170f6	317	optional_policy(`
fc6524d7 CP	318	corecmd_exec_shell(ftpd_t)
fc6524d7 CP	319
77f6e2cd	320	files_read_usr_files(ftpd_t)
fc6524d7	321
3f67f722	322	cron_system_entry(ftpd_t, ftpd_exec_t)
fc6524d7	323
bb7170f6	324	optional_policy(`
fc6524d7 CP	325	logrotate_exec(ftpd_t)
	326	')
	327	')
	328
bb7170f6	329	optional_policy(`
44d5d93f CP	330	daemontools_service_domain(ftpd_t, ftpd_exec_t)
	331	')
	332
3d1650bf DG	333	optional_policy(`
	334	fail2ban_read_lib_files(ftpd_t)
	335	')
	336
09c56f54	337	optional_policy(`
a53c6c65 CP	338	selinux_validate_context(ftpd_t)
	339
	340	kerberos_keytab_template(ftpd, ftpd_t)
	341	kerberos_manage_host_rcache(ftpd_t)
09c56f54 CP	342	')
09c56f54 CP	343
3eaa9939 DW	344	optional_policy(`
	345	tunable_policy(`ftpd_connect_db',`
	346	mysql_stream_connect(ftpd_t)
	347	')
	348	')
	349
	350	optional_policy(`
	351	tunable_policy(`ftpd_connect_db',`
	352	postgresql_stream_connect(ftpd_t)
	353	')
	354	')
	355
01ada3cd MG	356	optional_policy(`
	357	tunable_policy(`ftpd_connect_db',`
	358	mysql_tcp_connect(ftpd_t)
	359	postgresql_tcp_connect(ftpd_t)
	360	')
3eaa9939 DW	361	')
3eaa9939 DW	362
bb7170f6	363	optional_policy(`
0bfccda4	364	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
73ef293b	365
bb7170f6	366	optional_policy(`
56e1b3d2	367	tcpd_domtrans(tcpd_t)
77f6e2cd	368	')
fc6524d7 CP	369	')
fc6524d7 CP	370
a53c6c65 CP	371	optional_policy(`
	372	dbus_system_bus_client(ftpd_t)
	373
	374	optional_policy(`
	375	oddjob_dbus_chat(ftpd_t)
	376	oddjob_domtrans_mkhomedir(ftpd_t)
	377	')
	378	')
	379
bb7170f6	380	optional_policy(`
fc6524d7 CP	381	seutil_sigchld_newrole(ftpd_t)
	382	')
	383
bb7170f6	384	optional_policy(`
fc6524d7 CP	385	udev_read_db(ftpd_t)
fc6524d7 CP	386	')
75fbbb0b CP	387
	388	########################################
	389	#
	390	# ftpdctl local policy
	391	#
	392
	393	# Allow ftpdctl to talk to ftpd over a socket connection
0bfccda4	394	stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
08c4bb08	395	files_search_pids(ftpdctl_t)
75fbbb0b CP	396
	397	# ftpdctl creates a socket so that the daemon can perform
	398	# access control decisions (see comments in ftpd_t rules above)
1dfc76f7	399	allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
75fbbb0b CP	400	files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
	401
	402	# Allow ftpdctl to read config files
	403	files_read_etc_files(ftpdctl_t)
296273a7	404
af2d8802	405	userdom_use_inherited_user_terminals(ftpdctl_t)
a53c6c65 CP	406
	407	########################################
	408	#
	409	# sftpd local policy
	410	#
68ac47d8	411
a53c6c65 CP	412	files_read_etc_files(sftpd_t)
a53c6c65 CP	413
6e53156f DW	414	miscfiles_read_localization(sftpd_t)
6e53156f DW	415
a53c6c65 CP	416	# allow read access to /home by default
	417	userdom_read_user_home_content_files(sftpd_t)
	418	userdom_read_user_home_content_symlinks(sftpd_t)
3eaa9939 DW	419	userdom_dontaudit_list_admin_dir(sftpd_t)
	420
	421	tunable_policy(`sftpd_full_access',`
68ac47d8 DG	422	allow sftpd_t self:capability { dac_override dac_read_search };
68ac47d8 DG	423	fs_read_noxattr_fs_files(sftpd_t)
d500db40	424	files_manage_non_security_files(sftpd_t)
3eaa9939 DW	425	')
	426
	427	tunable_policy(`sftpd_write_ssh_home',`
68ac47d8	428	ssh_manage_home_files(sftpd_t)
3eaa9939	429	')
a53c6c65 CP	430
	431	tunable_policy(`sftpd_enable_homedirs',`
	432	allow sftpd_t self:capability { dac_override dac_read_search };
	433
	434	# allow access to /home
	435	files_list_home(sftpd_t)
3eaa9939 DW	436	userdom_read_user_home_content_files(sftpd_t)
3eaa9939 DW	437	userdom_manage_user_home_content(sftpd_t)
68ac47d8 DG	438	',`
	439	# Needed for permissive mode, to make sure everything gets labeled correctly
	440	userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
a53c6c65 CP	441	')
	442
	443	tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
	444	fs_manage_nfs_dirs(sftpd_t)
	445	fs_manage_nfs_files(sftpd_t)
	446	fs_manage_nfs_symlinks(sftpd_t)
	447	')
	448
	449	tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
	450	fs_manage_cifs_dirs(sftpd_t)
	451	fs_manage_cifs_files(sftpd_t)
	452	fs_manage_cifs_symlinks(sftpd_t)
	453	')
	454
	455	tunable_policy(`sftpd_full_access',`
	456	allow sftpd_t self:capability { dac_override dac_read_search };
	457	fs_read_noxattr_fs_files(sftpd_t)
d500db40	458	files_manage_non_security_files(sftpd_t)
a53c6c65 CP	459	')
a53c6c65 CP	460
ed2ac112	461	userdom_home_reader(sftpd_t)