[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / ftp.te


policy_module(ftp,1.2.0)

########################################
#
# Declarations
#

type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)

type ftpd_etc_t;
files_config_file(ftpd_etc_t)

# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)

type ftpd_tmp_t;
files_tmp_file(ftpd_tmp_t)

type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)

type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)

type xferlog_t;
logging_log_file(xferlog_t)

########################################
#
# Local policy
#

allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;

allow ftpd_t ftpd_etc_t:file r_file_perms;

allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
allow ftpd_t ftpd_tmp_t:file create_file_perms;
files_filetrans_tmp(ftpd_t, ftpd_tmp_t, { file dir })

allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
fs_filetrans_tmpfs(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

allow ftpd_t ftpd_var_run_t:file create_file_perms;
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
files_filetrans_pid(ftpd_t,ftpd_var_run_t)

# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:file create_file_perms;
logging_filetrans_log(ftpd_t,xferlog_t)

kernel_read_kernel_sysctl(ftpd_t)
kernel_read_system_state(ftpd_t)

dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)

corecmd_exec_bin(ftpd_t)
corecmd_exec_sbin(ftpd_t)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
corecmd_exec_ls(ftpd_t)

corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
corenet_raw_sendrecv_all_if(ftpd_t)
corenet_tcp_sendrecv_all_nodes(ftpd_t)
corenet_udp_sendrecv_all_nodes(ftpd_t)
corenet_raw_sendrecv_all_nodes(ftpd_t)
corenet_tcp_sendrecv_all_ports(ftpd_t)
corenet_udp_sendrecv_all_ports(ftpd_t)
corenet_non_ipsec_sendrecv(ftpd_t)
corenet_tcp_bind_all_nodes(ftpd_t)
corenet_udp_bind_all_nodes(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)

domain_use_wide_inherit_fd(ftpd_t)

files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib_dir(ftpd_t)

fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)

term_dontaudit_use_console(ftpd_t)

auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)

init_use_fd(ftpd_t)
init_use_script_pty(ftpd_t)

libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)

logging_send_syslog_msg(ftpd_t)

miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)

seutil_dontaudit_search_config(ftpd_t)

sysnet_read_config(ftpd_t)

userdom_dontaudit_search_sysadm_home_dir(ftpd_t)
userdom_dontaudit_use_unpriv_user_fd(ftpd_t)

ifdef(`targeted_policy',`
	files_dontaudit_read_root_file(ftpd_t)

	term_dontaudit_use_generic_pty(ftpd_t)
	term_dontaudit_use_unallocated_tty(ftpd_t)

	optional_policy(`ftp',`
		tunable_policy(`ftpd_is_daemon',`
			# cjp: fix this to use regular interfaces
			userdom_manage_user_home_subdir_files(user,ftpd_t)
			userdom_manage_user_home_subdir_symlinks(user,ftpd_t)
			userdom_manage_user_home_subdir_sockets(user,ftpd_t)
			userdom_manage_user_home_subdir_pipes(user,ftpd_t)
			userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
		')
	')
')

tunable_policy(`allow_ftpd_anon_write',`
	miscfiles_manage_public_files(ftpd_t)
') 

tunable_policy(`ftp_home_dir',`
	# allow access to /home
	files_list_home(ftpd_t)
	userdom_read_all_user_files(ftpd_t)
	userdom_manage_all_user_dirs(ftpd_t)
	userdom_manage_all_user_files(ftpd_t)
	userdom_manage_all_user_symlinks(ftpd_t)

	ifdef(`targeted_policy',`
		userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
	')
')

tunable_policy(`ftpd_is_daemon',`
	allow ftpd_t ftpd_lock_t:file create_file_perms;
	files_filetrans_lock(ftpd_t,ftpd_lock_t)

	corenet_tcp_bind_ftp_port(ftpd_t)
')

tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
	fs_read_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
	fs_read_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

optional_policy(`cron',`
	corecmd_exec_shell(ftpd_t)

	files_read_usr_files(ftpd_t)

       	cron_system_entry(ftpd_t, ftpd_exec_t)

	optional_policy(`logrotate',`
		logrotate_exec(ftpd_t)
	')
')

optional_policy(`daemontools',`
	daemontools_service_domain(ftpd_t, ftpd_exec_t)
')

optional_policy(`inetd',`
	#reh: typeattributes not allowed in conditionals yet.
	#tunable_policy(`! ftpd_is_daemon',`
	#	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
	#')

	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)

	optional_policy(`tcpd',`
		tunable_policy(`! ftpd_is_daemon',`
			tcpd_domtrans(tcpd_t)
		')
	')
')

optional_policy(`mount',`
	mount_send_nfs_client_request(ftpd_t)
')

optional_policy(`nscd',`
	nscd_use_socket(ftpd_t)
')

optional_policy(`selinuxutil',`
	seutil_sigchld_newrole(ftpd_t)
')

optional_policy(`udev', `
	udev_read_db(ftpd_t)
')
Commit	Line	Data
fc6524d7	1
d3d27022	2	policy_module(ftp,1.2.0)
fc6524d7 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type ftpd_t;
	10	type ftpd_exec_t;
	11	init_daemon_domain(ftpd_t,ftpd_exec_t)
	12
	13	type ftpd_etc_t;
9bbc757a	14	files_config_file(ftpd_etc_t)
fc6524d7 CP	15
	16	# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
	17	type ftpd_lock_t;
	18	files_lock_file(ftpd_lock_t)
	19
	20	type ftpd_tmp_t;
	21	files_tmp_file(ftpd_tmp_t)
	22
	23	type ftpd_tmpfs_t;
	24	files_tmpfs_file(ftpd_tmpfs_t)
	25
	26	type ftpd_var_run_t;
	27	files_pid_file(ftpd_var_run_t)
	28
	29	type xferlog_t;
	30	logging_log_file(xferlog_t)
	31
	32	########################################
	33	#
	34	# Local policy
	35	#
	36
	37	allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
	38	dontaudit ftpd_t self:capability sys_tty_config;
	39	allow ftpd_t self:process signal_perms;
	40	allow ftpd_t self:process { getcap setcap setsched setrlimit };
	41	allow ftpd_t self:fifo_file rw_file_perms;
	42	allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
	43	allow ftpd_t self:unix_stream_socket create_socket_perms;
	44	allow ftpd_t self:tcp_socket create_stream_socket_perms;
	45	allow ftpd_t self:udp_socket create_socket_perms;
	46
e6a2eaff	47	allow ftpd_t ftpd_etc_t:file r_file_perms;
fc6524d7 CP	48
	49	allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
	50	allow ftpd_t ftpd_tmp_t:file create_file_perms;
9d594986	51	files_filetrans_tmp(ftpd_t, ftpd_tmp_t, { file dir })
fc6524d7	52
e6a2eaff CP	53	allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
	54	allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
	55	allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
	56	allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
	57	allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
9d594986	58	fs_filetrans_tmpfs(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fc6524d7	59
e6a2eaff CP	60	allow ftpd_t ftpd_var_run_t:file create_file_perms;
e6a2eaff CP	61	allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
9d594986	62	files_filetrans_pid(ftpd_t,ftpd_var_run_t)
e6a2eaff	63
fc6524d7 CP	64	# Create and modify /var/log/xferlog.
fc6524d7 CP	65	allow ftpd_t xferlog_t:file create_file_perms;
9d594986	66	logging_filetrans_log(ftpd_t,xferlog_t)
fc6524d7 CP	67
	68	kernel_read_kernel_sysctl(ftpd_t)
	69	kernel_read_system_state(ftpd_t)
	70
	71	dev_read_sysfs(ftpd_t)
	72	dev_read_urand(ftpd_t)
	73
049e11af CP	74	corecmd_exec_bin(ftpd_t)
	75	corecmd_exec_sbin(ftpd_t)
	76	# Execute /bin/ls (can comment this out for proftpd)
	77	# also may need rules to allow tar etc...
	78	corecmd_exec_ls(ftpd_t)
fc6524d7 CP	79
	80	corenet_tcp_sendrecv_all_if(ftpd_t)
	81	corenet_udp_sendrecv_all_if(ftpd_t)
	82	corenet_raw_sendrecv_all_if(ftpd_t)
	83	corenet_tcp_sendrecv_all_nodes(ftpd_t)
	84	corenet_udp_sendrecv_all_nodes(ftpd_t)
	85	corenet_raw_sendrecv_all_nodes(ftpd_t)
	86	corenet_tcp_sendrecv_all_ports(ftpd_t)
	87	corenet_udp_sendrecv_all_ports(ftpd_t)
bd70373d	88	corenet_non_ipsec_sendrecv(ftpd_t)
fc6524d7 CP	89	corenet_tcp_bind_all_nodes(ftpd_t)
	90	corenet_udp_bind_all_nodes(ftpd_t)
	91	corenet_tcp_bind_ftp_data_port(ftpd_t)
	92	corenet_tcp_bind_generic_port(ftpd_t)
	93	corenet_tcp_connect_all_ports(ftpd_t)
	94
049e11af CP	95	domain_use_wide_inherit_fd(ftpd_t)
	96
	97	files_search_etc(ftpd_t)
	98	files_read_etc_files(ftpd_t)
	99	files_read_etc_runtime_files(ftpd_t)
	100	files_search_var_lib_dir(ftpd_t)
	101
	102	fs_search_auto_mountpoints(ftpd_t)
	103	fs_getattr_all_fs(ftpd_t)
	104
fc6524d7 CP	105	term_dontaudit_use_console(ftpd_t)
fc6524d7 CP	106
049e11af	107	auth_use_nsswitch(ftpd_t)
e6a2eaff	108	auth_domtrans_chk_passwd(ftpd_t)
fc6524d7 CP	109	# Append to /var/log/wtmp.
	110	auth_append_login_records(ftpd_t)
	111	#kerberized ftp requires the following
	112	auth_write_login_records(ftpd_t)
	113
fc6524d7 CP	114	init_use_fd(ftpd_t)
	115	init_use_script_pty(ftpd_t)
	116
	117	libs_use_ld_so(ftpd_t)
	118	libs_use_shared_libs(ftpd_t)
	119
	120	logging_send_syslog_msg(ftpd_t)
	121
	122	miscfiles_read_localization(ftpd_t)
	123	miscfiles_read_public_files(ftpd_t)
	124
	125	seutil_dontaudit_search_config(ftpd_t)
	126
	127	sysnet_read_config(ftpd_t)
	128
	129	userdom_dontaudit_search_sysadm_home_dir(ftpd_t)
	130	userdom_dontaudit_use_unpriv_user_fd(ftpd_t)
	131
	132	ifdef(`targeted_policy',`
	133	files_dontaudit_read_root_file(ftpd_t)
	134
	135	term_dontaudit_use_generic_pty(ftpd_t)
	136	term_dontaudit_use_unallocated_tty(ftpd_t)
725926c5	137
1328802a	138	optional_policy(`ftp',`
725926c5 CP	139	tunable_policy(`ftpd_is_daemon',`
	140	# cjp: fix this to use regular interfaces
	141	userdom_manage_user_home_subdir_files(user,ftpd_t)
	142	userdom_manage_user_home_subdir_symlinks(user,ftpd_t)
	143	userdom_manage_user_home_subdir_sockets(user,ftpd_t)
	144	userdom_manage_user_home_subdir_pipes(user,ftpd_t)
	145	userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
	146	')
	147	')
fc6524d7 CP	148	')
	149
	150	tunable_policy(`allow_ftpd_anon_write',`
	151	miscfiles_manage_public_files(ftpd_t)
	152	')
	153
	154	tunable_policy(`ftp_home_dir',`
	155	# allow access to /home
d8636fc9	156	files_list_home(ftpd_t)
fc6524d7 CP	157	userdom_read_all_user_files(ftpd_t)
	158	userdom_manage_all_user_dirs(ftpd_t)
	159	userdom_manage_all_user_files(ftpd_t)
	160	userdom_manage_all_user_symlinks(ftpd_t)
d8636fc9 CP	161
d8636fc9 CP	162	ifdef(`targeted_policy',`
9d594986	163	userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
d8636fc9	164	')
fc6524d7 CP	165	')
	166
	167	tunable_policy(`ftpd_is_daemon',`
	168	allow ftpd_t ftpd_lock_t:file create_file_perms;
9d594986	169	files_filetrans_lock(ftpd_t,ftpd_lock_t)
fc6524d7 CP	170
	171	corenet_tcp_bind_ftp_port(ftpd_t)
	172	')
	173
	174	tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
	175	fs_read_nfs_files(ftpd_t)
	176	fs_read_nfs_symlinks(ftpd_t)
	177	')
	178
	179	tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
	180	fs_read_cifs_files(ftpd_t)
	181	fs_read_cifs_symlinks(ftpd_t)
	182	')
	183
1328802a	184	optional_policy(`cron',`
fc6524d7 CP	185	corecmd_exec_shell(ftpd_t)
fc6524d7 CP	186
77f6e2cd	187	files_read_usr_files(ftpd_t)
fc6524d7 CP	188
	189	cron_system_entry(ftpd_t, ftpd_exec_t)
	190
1328802a	191	optional_policy(`logrotate',`
fc6524d7 CP	192	logrotate_exec(ftpd_t)
	193	')
	194	')
	195
44d5d93f CP	196	optional_policy(`daemontools',`
	197	daemontools_service_domain(ftpd_t, ftpd_exec_t)
	198	')
	199
1328802a	200	optional_policy(`inetd',`
784a3bbc CP	201	#reh: typeattributes not allowed in conditionals yet.
	202	#tunable_policy(`! ftpd_is_daemon',`
	203	# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
	204	#')
fc6524d7	205
73ef293b CP	206	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
73ef293b CP	207
1328802a	208	optional_policy(`tcpd',`
77f6e2cd	209	tunable_policy(`! ftpd_is_daemon',`
fc6524d7 CP	210	tcpd_domtrans(tcpd_t)
fc6524d7 CP	211	')
77f6e2cd	212	')
fc6524d7 CP	213	')
fc6524d7 CP	214
1328802a	215	optional_policy(`mount',`
fc6524d7 CP	216	mount_send_nfs_client_request(ftpd_t)
	217	')
	218
1328802a	219	optional_policy(`nscd',`
e6a2eaff CP	220	nscd_use_socket(ftpd_t)
	221	')
	222
1328802a	223	optional_policy(`selinuxutil',`
fc6524d7 CP	224	seutil_sigchld_newrole(ftpd_t)
	225	')
	226
1328802a	227	optional_policy(`udev', `
fc6524d7 CP	228	udev_read_db(ftpd_t)
fc6524d7 CP	229	')