[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / ftp.te


policy_module(ftp,1.2.2)

########################################
#
# Declarations
#

type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)

type ftpd_etc_t;
files_config_file(ftpd_etc_t)

# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)

type ftpd_tmp_t;
files_tmp_file(ftpd_tmp_t)

type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)

type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)

type xferlog_t;
logging_log_file(xferlog_t)

########################################
#
# Local policy
#

allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;

allow ftpd_t ftpd_etc_t:file r_file_perms;

allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
allow ftpd_t ftpd_tmp_t:file create_file_perms;
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })

allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

allow ftpd_t ftpd_var_run_t:file create_file_perms;
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)

# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:dir search_dir_perms;
allow ftpd_t xferlog_t:file create_file_perms;
logging_log_filetrans(ftpd_t,xferlog_t,file)

kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)

dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)

corecmd_exec_bin(ftpd_t)
corecmd_exec_sbin(ftpd_t)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
corecmd_exec_ls(ftpd_t)

corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
corenet_raw_sendrecv_all_if(ftpd_t)
corenet_tcp_sendrecv_all_nodes(ftpd_t)
corenet_udp_sendrecv_all_nodes(ftpd_t)
corenet_raw_sendrecv_all_nodes(ftpd_t)
corenet_tcp_sendrecv_all_ports(ftpd_t)
corenet_udp_sendrecv_all_ports(ftpd_t)
corenet_non_ipsec_sendrecv(ftpd_t)
corenet_tcp_bind_all_nodes(ftpd_t)
corenet_udp_bind_all_nodes(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)

domain_use_interactive_fds(ftpd_t)

files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)

fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)

term_dontaudit_use_console(ftpd_t)

auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)

init_use_fds(ftpd_t)
init_use_script_ptys(ftpd_t)

libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)

logging_send_syslog_msg(ftpd_t)

miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)

seutil_dontaudit_search_config(ftpd_t)

sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)

userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)

ifdef(`targeted_policy',`
	files_dontaudit_read_root_files(ftpd_t)

	term_dontaudit_use_generic_ptys(ftpd_t)
	term_dontaudit_use_unallocated_ttys(ftpd_t)
')

tunable_policy(`allow_ftpd_anon_write',`
	miscfiles_manage_public_files(ftpd_t)
') 

tunable_policy(`ftp_home_dir',`
	# allow access to /home
	files_list_home(ftpd_t)
	userdom_read_all_users_home_content_files(ftpd_t)
	userdom_manage_all_users_home_content_dirs(ftpd_t)
	userdom_manage_all_users_home_content_files(ftpd_t)
	userdom_manage_all_users_home_content_symlinks(ftpd_t)

	ifdef(`targeted_policy',`
		userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
	')
')

tunable_policy(`ftpd_is_daemon',`
	allow ftpd_t ftpd_lock_t:file create_file_perms;
	files_lock_filetrans(ftpd_t,ftpd_lock_t,file)

	corenet_tcp_bind_ftp_port(ftpd_t)
')

tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
	fs_read_nfs_files(ftpd_t)
	fs_read_nfs_symlinks(ftpd_t)
')

tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
	fs_read_cifs_files(ftpd_t)
	fs_read_cifs_symlinks(ftpd_t)
')

optional_policy(`
	corecmd_exec_shell(ftpd_t)

	files_read_usr_files(ftpd_t)

       	cron_system_entry(ftpd_t, ftpd_exec_t)

	optional_policy(`
		logrotate_exec(ftpd_t)
	')
')

optional_policy(`
	daemontools_service_domain(ftpd_t, ftpd_exec_t)
')

optional_policy(`
	#reh: typeattributes not allowed in conditionals yet.
	#tunable_policy(`! ftpd_is_daemon',`
	#	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
	#')

	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)

	optional_policy(`
		tunable_policy(`! ftpd_is_daemon',`
			tcpd_domtrans(tcpd_t)
		')
	')
')

optional_policy(`
	mount_send_nfs_client_request(ftpd_t)
')

optional_policy(`
	nscd_socket_use(ftpd_t)
')

optional_policy(`
	seutil_sigchld_newrole(ftpd_t)
')

optional_policy(`
	udev_read_db(ftpd_t)
')
Commit	Line	Data
fc6524d7	1
8cfa5a00	2	policy_module(ftp,1.2.2)
fc6524d7 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type ftpd_t;
	10	type ftpd_exec_t;
	11	init_daemon_domain(ftpd_t,ftpd_exec_t)
	12
	13	type ftpd_etc_t;
9bbc757a	14	files_config_file(ftpd_etc_t)
fc6524d7 CP	15
	16	# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
	17	type ftpd_lock_t;
	18	files_lock_file(ftpd_lock_t)
	19
	20	type ftpd_tmp_t;
	21	files_tmp_file(ftpd_tmp_t)
	22
	23	type ftpd_tmpfs_t;
	24	files_tmpfs_file(ftpd_tmpfs_t)
	25
	26	type ftpd_var_run_t;
	27	files_pid_file(ftpd_var_run_t)
	28
	29	type xferlog_t;
	30	logging_log_file(xferlog_t)
	31
	32	########################################
	33	#
	34	# Local policy
	35	#
	36
	37	allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
	38	dontaudit ftpd_t self:capability sys_tty_config;
	39	allow ftpd_t self:process signal_perms;
	40	allow ftpd_t self:process { getcap setcap setsched setrlimit };
	41	allow ftpd_t self:fifo_file rw_file_perms;
	42	allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
	43	allow ftpd_t self:unix_stream_socket create_socket_perms;
	44	allow ftpd_t self:tcp_socket create_stream_socket_perms;
	45	allow ftpd_t self:udp_socket create_socket_perms;
	46
e6a2eaff	47	allow ftpd_t ftpd_etc_t:file r_file_perms;
fc6524d7 CP	48
	49	allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
	50	allow ftpd_t ftpd_tmp_t:file create_file_perms;
103fe280	51	files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
fc6524d7	52
e6a2eaff CP	53	allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
	54	allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
	55	allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
	56	allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
	57	allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
103fe280	58	fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fc6524d7	59
e6a2eaff CP	60	allow ftpd_t ftpd_var_run_t:file create_file_perms;
e6a2eaff CP	61	allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
1c1ac67f	62	files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
e6a2eaff	63
fc6524d7	64	# Create and modify /var/log/xferlog.
8cfa5a00	65	allow ftpd_t xferlog_t:dir search_dir_perms;
fc6524d7	66	allow ftpd_t xferlog_t:file create_file_perms;
1c1ac67f	67	logging_log_filetrans(ftpd_t,xferlog_t,file)
fc6524d7	68
445522dc	69	kernel_read_kernel_sysctls(ftpd_t)
fc6524d7 CP	70	kernel_read_system_state(ftpd_t)
	71
	72	dev_read_sysfs(ftpd_t)
	73	dev_read_urand(ftpd_t)
	74
049e11af CP	75	corecmd_exec_bin(ftpd_t)
	76	corecmd_exec_sbin(ftpd_t)
	77	# Execute /bin/ls (can comment this out for proftpd)
	78	# also may need rules to allow tar etc...
	79	corecmd_exec_ls(ftpd_t)
fc6524d7 CP	80
	81	corenet_tcp_sendrecv_all_if(ftpd_t)
	82	corenet_udp_sendrecv_all_if(ftpd_t)
	83	corenet_raw_sendrecv_all_if(ftpd_t)
	84	corenet_tcp_sendrecv_all_nodes(ftpd_t)
	85	corenet_udp_sendrecv_all_nodes(ftpd_t)
	86	corenet_raw_sendrecv_all_nodes(ftpd_t)
	87	corenet_tcp_sendrecv_all_ports(ftpd_t)
	88	corenet_udp_sendrecv_all_ports(ftpd_t)
bd70373d	89	corenet_non_ipsec_sendrecv(ftpd_t)
fc6524d7 CP	90	corenet_tcp_bind_all_nodes(ftpd_t)
	91	corenet_udp_bind_all_nodes(ftpd_t)
	92	corenet_tcp_bind_ftp_data_port(ftpd_t)
	93	corenet_tcp_bind_generic_port(ftpd_t)
	94	corenet_tcp_connect_all_ports(ftpd_t)
	95
15722ec9	96	domain_use_interactive_fds(ftpd_t)
049e11af CP	97
	98	files_search_etc(ftpd_t)
	99	files_read_etc_files(ftpd_t)
	100	files_read_etc_runtime_files(ftpd_t)
9e04f5c5	101	files_search_var_lib(ftpd_t)
049e11af CP	102
	103	fs_search_auto_mountpoints(ftpd_t)
	104	fs_getattr_all_fs(ftpd_t)
	105
fc6524d7 CP	106	term_dontaudit_use_console(ftpd_t)
fc6524d7 CP	107
049e11af	108	auth_use_nsswitch(ftpd_t)
e6a2eaff	109	auth_domtrans_chk_passwd(ftpd_t)
fc6524d7 CP	110	# Append to /var/log/wtmp.
	111	auth_append_login_records(ftpd_t)
	112	#kerberized ftp requires the following
	113	auth_write_login_records(ftpd_t)
	114
1c1ac67f	115	init_use_fds(ftpd_t)
1815bad1	116	init_use_script_ptys(ftpd_t)
fc6524d7 CP	117
	118	libs_use_ld_so(ftpd_t)
	119	libs_use_shared_libs(ftpd_t)
	120
	121	logging_send_syslog_msg(ftpd_t)
	122
	123	miscfiles_read_localization(ftpd_t)
	124	miscfiles_read_public_files(ftpd_t)
	125
	126	seutil_dontaudit_search_config(ftpd_t)
	127
	128	sysnet_read_config(ftpd_t)
85a0f967	129	sysnet_use_ldap(ftpd_t)
fc6524d7	130
103fe280	131	userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
15722ec9	132	userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
fc6524d7 CP	133
fc6524d7 CP	134	ifdef(`targeted_policy',`
9e04f5c5	135	files_dontaudit_read_root_files(ftpd_t)
fc6524d7	136
1815bad1 CP	137	term_dontaudit_use_generic_ptys(ftpd_t)
1815bad1 CP	138	term_dontaudit_use_unallocated_ttys(ftpd_t)
fc6524d7 CP	139	')
	140
	141	tunable_policy(`allow_ftpd_anon_write',`
	142	miscfiles_manage_public_files(ftpd_t)
	143	')
	144
	145	tunable_policy(`ftp_home_dir',`
	146	# allow access to /home
d8636fc9	147	files_list_home(ftpd_t)
103fe280 CP	148	userdom_read_all_users_home_content_files(ftpd_t)
	149	userdom_manage_all_users_home_content_dirs(ftpd_t)
	150	userdom_manage_all_users_home_content_files(ftpd_t)
	151	userdom_manage_all_users_home_content_symlinks(ftpd_t)
d8636fc9 CP	152
d8636fc9 CP	153	ifdef(`targeted_policy',`
103fe280	154	userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
d8636fc9	155	')
fc6524d7 CP	156	')
	157
	158	tunable_policy(`ftpd_is_daemon',`
	159	allow ftpd_t ftpd_lock_t:file create_file_perms;
1c1ac67f	160	files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
fc6524d7 CP	161
	162	corenet_tcp_bind_ftp_port(ftpd_t)
	163	')
	164
	165	tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
	166	fs_read_nfs_files(ftpd_t)
	167	fs_read_nfs_symlinks(ftpd_t)
	168	')
	169
	170	tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
	171	fs_read_cifs_files(ftpd_t)
	172	fs_read_cifs_symlinks(ftpd_t)
	173	')
	174
bb7170f6	175	optional_policy(`
fc6524d7 CP	176	corecmd_exec_shell(ftpd_t)
fc6524d7 CP	177
77f6e2cd	178	files_read_usr_files(ftpd_t)
fc6524d7 CP	179
	180	cron_system_entry(ftpd_t, ftpd_exec_t)
	181
bb7170f6	182	optional_policy(`
fc6524d7 CP	183	logrotate_exec(ftpd_t)
	184	')
	185	')
	186
bb7170f6	187	optional_policy(`
44d5d93f CP	188	daemontools_service_domain(ftpd_t, ftpd_exec_t)
	189	')
	190
bb7170f6	191	optional_policy(`
784a3bbc CP	192	#reh: typeattributes not allowed in conditionals yet.
	193	#tunable_policy(`! ftpd_is_daemon',`
	194	# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
	195	#')
fc6524d7	196
73ef293b CP	197	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
73ef293b CP	198
bb7170f6	199	optional_policy(`
77f6e2cd	200	tunable_policy(`! ftpd_is_daemon',`
fc6524d7 CP	201	tcpd_domtrans(tcpd_t)
fc6524d7 CP	202	')
77f6e2cd	203	')
fc6524d7 CP	204	')
fc6524d7 CP	205
bb7170f6	206	optional_policy(`
fc6524d7 CP	207	mount_send_nfs_client_request(ftpd_t)
	208	')
	209
bb7170f6	210	optional_policy(`
1815bad1	211	nscd_socket_use(ftpd_t)
e6a2eaff CP	212	')
e6a2eaff CP	213
bb7170f6	214	optional_policy(`
fc6524d7 CP	215	seutil_sigchld_newrole(ftpd_t)
	216	')
	217
bb7170f6	218	optional_policy(`
fc6524d7 CP	219	udev_read_db(ftpd_t)
fc6524d7 CP	220	')