]>
Commit | Line | Data |
---|---|---|
fc6524d7 | 1 | |
8cfa5a00 | 2 | policy_module(ftp,1.2.2) |
fc6524d7 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type ftpd_t; | |
10 | type ftpd_exec_t; | |
11 | init_daemon_domain(ftpd_t,ftpd_exec_t) | |
12 | ||
13 | type ftpd_etc_t; | |
9bbc757a | 14 | files_config_file(ftpd_etc_t) |
fc6524d7 CP |
15 | |
16 | # ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally | |
17 | type ftpd_lock_t; | |
18 | files_lock_file(ftpd_lock_t) | |
19 | ||
20 | type ftpd_tmp_t; | |
21 | files_tmp_file(ftpd_tmp_t) | |
22 | ||
23 | type ftpd_tmpfs_t; | |
24 | files_tmpfs_file(ftpd_tmpfs_t) | |
25 | ||
26 | type ftpd_var_run_t; | |
27 | files_pid_file(ftpd_var_run_t) | |
28 | ||
29 | type xferlog_t; | |
30 | logging_log_file(xferlog_t) | |
31 | ||
32 | ######################################## | |
33 | # | |
34 | # Local policy | |
35 | # | |
36 | ||
37 | allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; | |
38 | dontaudit ftpd_t self:capability sys_tty_config; | |
39 | allow ftpd_t self:process signal_perms; | |
40 | allow ftpd_t self:process { getcap setcap setsched setrlimit }; | |
41 | allow ftpd_t self:fifo_file rw_file_perms; | |
42 | allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; | |
43 | allow ftpd_t self:unix_stream_socket create_socket_perms; | |
44 | allow ftpd_t self:tcp_socket create_stream_socket_perms; | |
45 | allow ftpd_t self:udp_socket create_socket_perms; | |
46 | ||
e6a2eaff | 47 | allow ftpd_t ftpd_etc_t:file r_file_perms; |
fc6524d7 CP |
48 | |
49 | allow ftpd_t ftpd_tmp_t:dir create_dir_perms; | |
50 | allow ftpd_t ftpd_tmp_t:file create_file_perms; | |
103fe280 | 51 | files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) |
fc6524d7 | 52 | |
e6a2eaff CP |
53 | allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms; |
54 | allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms; | |
55 | allow ftpd_t ftpd_tmpfs_t:file create_file_perms; | |
56 | allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms; | |
57 | allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms; | |
103fe280 | 58 | fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
fc6524d7 | 59 | |
e6a2eaff CP |
60 | allow ftpd_t ftpd_var_run_t:file create_file_perms; |
61 | allow ftpd_t ftpd_var_run_t:dir rw_dir_perms; | |
1c1ac67f | 62 | files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) |
e6a2eaff | 63 | |
fc6524d7 | 64 | # Create and modify /var/log/xferlog. |
8cfa5a00 | 65 | allow ftpd_t xferlog_t:dir search_dir_perms; |
fc6524d7 | 66 | allow ftpd_t xferlog_t:file create_file_perms; |
1c1ac67f | 67 | logging_log_filetrans(ftpd_t,xferlog_t,file) |
fc6524d7 | 68 | |
445522dc | 69 | kernel_read_kernel_sysctls(ftpd_t) |
fc6524d7 CP |
70 | kernel_read_system_state(ftpd_t) |
71 | ||
72 | dev_read_sysfs(ftpd_t) | |
73 | dev_read_urand(ftpd_t) | |
74 | ||
049e11af CP |
75 | corecmd_exec_bin(ftpd_t) |
76 | corecmd_exec_sbin(ftpd_t) | |
77 | # Execute /bin/ls (can comment this out for proftpd) | |
78 | # also may need rules to allow tar etc... | |
79 | corecmd_exec_ls(ftpd_t) | |
fc6524d7 CP |
80 | |
81 | corenet_tcp_sendrecv_all_if(ftpd_t) | |
82 | corenet_udp_sendrecv_all_if(ftpd_t) | |
83 | corenet_raw_sendrecv_all_if(ftpd_t) | |
84 | corenet_tcp_sendrecv_all_nodes(ftpd_t) | |
85 | corenet_udp_sendrecv_all_nodes(ftpd_t) | |
86 | corenet_raw_sendrecv_all_nodes(ftpd_t) | |
87 | corenet_tcp_sendrecv_all_ports(ftpd_t) | |
88 | corenet_udp_sendrecv_all_ports(ftpd_t) | |
bd70373d | 89 | corenet_non_ipsec_sendrecv(ftpd_t) |
fc6524d7 CP |
90 | corenet_tcp_bind_all_nodes(ftpd_t) |
91 | corenet_udp_bind_all_nodes(ftpd_t) | |
92 | corenet_tcp_bind_ftp_data_port(ftpd_t) | |
93 | corenet_tcp_bind_generic_port(ftpd_t) | |
94 | corenet_tcp_connect_all_ports(ftpd_t) | |
95 | ||
15722ec9 | 96 | domain_use_interactive_fds(ftpd_t) |
049e11af CP |
97 | |
98 | files_search_etc(ftpd_t) | |
99 | files_read_etc_files(ftpd_t) | |
100 | files_read_etc_runtime_files(ftpd_t) | |
9e04f5c5 | 101 | files_search_var_lib(ftpd_t) |
049e11af CP |
102 | |
103 | fs_search_auto_mountpoints(ftpd_t) | |
104 | fs_getattr_all_fs(ftpd_t) | |
105 | ||
fc6524d7 CP |
106 | term_dontaudit_use_console(ftpd_t) |
107 | ||
049e11af | 108 | auth_use_nsswitch(ftpd_t) |
e6a2eaff | 109 | auth_domtrans_chk_passwd(ftpd_t) |
fc6524d7 CP |
110 | # Append to /var/log/wtmp. |
111 | auth_append_login_records(ftpd_t) | |
112 | #kerberized ftp requires the following | |
113 | auth_write_login_records(ftpd_t) | |
114 | ||
1c1ac67f | 115 | init_use_fds(ftpd_t) |
1815bad1 | 116 | init_use_script_ptys(ftpd_t) |
fc6524d7 CP |
117 | |
118 | libs_use_ld_so(ftpd_t) | |
119 | libs_use_shared_libs(ftpd_t) | |
120 | ||
121 | logging_send_syslog_msg(ftpd_t) | |
122 | ||
123 | miscfiles_read_localization(ftpd_t) | |
124 | miscfiles_read_public_files(ftpd_t) | |
125 | ||
126 | seutil_dontaudit_search_config(ftpd_t) | |
127 | ||
128 | sysnet_read_config(ftpd_t) | |
129 | ||
103fe280 | 130 | userdom_dontaudit_search_sysadm_home_dirs(ftpd_t) |
15722ec9 | 131 | userdom_dontaudit_use_unpriv_user_fds(ftpd_t) |
fc6524d7 CP |
132 | |
133 | ifdef(`targeted_policy',` | |
9e04f5c5 | 134 | files_dontaudit_read_root_files(ftpd_t) |
fc6524d7 | 135 | |
1815bad1 CP |
136 | term_dontaudit_use_generic_ptys(ftpd_t) |
137 | term_dontaudit_use_unallocated_ttys(ftpd_t) | |
fc6524d7 CP |
138 | ') |
139 | ||
140 | tunable_policy(`allow_ftpd_anon_write',` | |
141 | miscfiles_manage_public_files(ftpd_t) | |
142 | ') | |
143 | ||
144 | tunable_policy(`ftp_home_dir',` | |
145 | # allow access to /home | |
d8636fc9 | 146 | files_list_home(ftpd_t) |
103fe280 CP |
147 | userdom_read_all_users_home_content_files(ftpd_t) |
148 | userdom_manage_all_users_home_content_dirs(ftpd_t) | |
149 | userdom_manage_all_users_home_content_files(ftpd_t) | |
150 | userdom_manage_all_users_home_content_symlinks(ftpd_t) | |
d8636fc9 CP |
151 | |
152 | ifdef(`targeted_policy',` | |
103fe280 | 153 | userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file }) |
d8636fc9 | 154 | ') |
fc6524d7 CP |
155 | ') |
156 | ||
157 | tunable_policy(`ftpd_is_daemon',` | |
158 | allow ftpd_t ftpd_lock_t:file create_file_perms; | |
1c1ac67f | 159 | files_lock_filetrans(ftpd_t,ftpd_lock_t,file) |
fc6524d7 CP |
160 | |
161 | corenet_tcp_bind_ftp_port(ftpd_t) | |
162 | ') | |
163 | ||
164 | tunable_policy(`use_nfs_home_dirs && ftp_home_dir',` | |
165 | fs_read_nfs_files(ftpd_t) | |
166 | fs_read_nfs_symlinks(ftpd_t) | |
167 | ') | |
168 | ||
169 | tunable_policy(`use_samba_home_dirs && ftp_home_dir',` | |
170 | fs_read_cifs_files(ftpd_t) | |
171 | fs_read_cifs_symlinks(ftpd_t) | |
172 | ') | |
173 | ||
bb7170f6 | 174 | optional_policy(` |
fc6524d7 CP |
175 | corecmd_exec_shell(ftpd_t) |
176 | ||
77f6e2cd | 177 | files_read_usr_files(ftpd_t) |
fc6524d7 CP |
178 | |
179 | cron_system_entry(ftpd_t, ftpd_exec_t) | |
180 | ||
bb7170f6 | 181 | optional_policy(` |
fc6524d7 CP |
182 | logrotate_exec(ftpd_t) |
183 | ') | |
184 | ') | |
185 | ||
bb7170f6 | 186 | optional_policy(` |
44d5d93f CP |
187 | daemontools_service_domain(ftpd_t, ftpd_exec_t) |
188 | ') | |
189 | ||
bb7170f6 | 190 | optional_policy(` |
784a3bbc CP |
191 | #reh: typeattributes not allowed in conditionals yet. |
192 | #tunable_policy(`! ftpd_is_daemon',` | |
193 | # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) | |
194 | #') | |
fc6524d7 | 195 | |
73ef293b CP |
196 | inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) |
197 | ||
bb7170f6 | 198 | optional_policy(` |
77f6e2cd | 199 | tunable_policy(`! ftpd_is_daemon',` |
fc6524d7 CP |
200 | tcpd_domtrans(tcpd_t) |
201 | ') | |
77f6e2cd | 202 | ') |
fc6524d7 CP |
203 | ') |
204 | ||
bb7170f6 | 205 | optional_policy(` |
fc6524d7 CP |
206 | mount_send_nfs_client_request(ftpd_t) |
207 | ') | |
208 | ||
bb7170f6 | 209 | optional_policy(` |
1815bad1 | 210 | nscd_socket_use(ftpd_t) |
e6a2eaff CP |
211 | ') |
212 | ||
bb7170f6 | 213 | optional_policy(` |
fc6524d7 CP |
214 | seutil_sigchld_newrole(ftpd_t) |
215 | ') | |
216 | ||
bb7170f6 | 217 | optional_policy(` |
fc6524d7 CP |
218 | udev_read_db(ftpd_t) |
219 | ') |