policy/modules/services/ftp.te

   1 policy_module(ftp, 1.12.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow ftp servers to upload files,  used for public file
  11 ## transfer services. Directories must be labeled
  12 ## public_content_rw_t.
  13 ## </p>
  14 ## </desc>
  15 gen_tunable(allow_ftpd_anon_write, false)
  16
  17 ## <desc>
  18 ## <p>
  19 ## Allow ftp servers to login to local users and
  20 ## read/write all files on the system, governed by DAC.
  21 ## </p>
  22 ## </desc>
  23 gen_tunable(allow_ftpd_full_access, false)
  24
  25 ## <desc>
  26 ## <p>
  27 ## Allow ftp servers to use cifs
  28 ## used for public file transfer services.
  29 ## </p>
  30 ## </desc>
  31 gen_tunable(allow_ftpd_use_cifs, false)
  32
  33 ## <desc>
  34 ## <p>
  35 ## Allow ftp servers to use nfs
  36 ## used for public file transfer services.
  37 ## </p>
  38 ## </desc>
  39 gen_tunable(allow_ftpd_use_nfs, false)
  40
  41 ## <desc>
  42 ## <p>
  43 ## Allow ftp servers to use connect to mysql database
  44 ## </p>
  45 ## </desc>
  46 gen_tunable(ftpd_connect_db, false)
  47
  48 ## <desc>
  49 ## <p>
  50 ## Allow ftp to read and write files in the user home directories
  51 ## </p>
  52 ## </desc>
  53 gen_tunable(ftp_home_dir, false)
  54
  55 ## <desc>
  56 ## <p>
  57 ## Allow anon internal-sftp to upload files, used for
  58 ## public file transfer services. Directories must be labeled
  59 ## public_content_rw_t.
  60 ## </p>
  61 ## </desc>
  62 gen_tunable(sftpd_anon_write, false)
  63
  64 ## <desc>
  65 ## <p>
  66 ## Allow sftp-internal to read and write files
  67 ## in the user home directories
  68 ## </p>
  69 ## </desc>
  70 gen_tunable(sftpd_enable_homedirs, false)
  71
  72 ## <desc>
  73 ## <p>
  74 ## Allow sftp-internal to login to local users and
  75 ## read/write all files on the system, governed by DAC.
  76 ## </p>
  77 ## </desc>
  78 gen_tunable(sftpd_full_access, false)
  79
  80 ## <desc>
  81 ## <p>
  82 ## Allow interlnal-sftp to read and write files
  83 ## in the user ssh home directories.
  84 ## </p>
  85 ## </desc>
  86 gen_tunable(sftpd_write_ssh_home, false)
  87
  88 type anon_sftpd_t;
  89 typealias anon_sftpd_t alias sftpd_anon_t;
  90 domain_type(anon_sftpd_t)
  91 role system_r types anon_sftpd_t;
  92
  93 type ftpd_t;
  94 type ftpd_exec_t;
  95 init_daemon_domain(ftpd_t, ftpd_exec_t)
  96
  97 type ftpd_etc_t;
  98 files_config_file(ftpd_etc_t)
  99
 100 type ftpd_initrc_exec_t;
 101 init_script_file(ftpd_initrc_exec_t)
 102
 103 type ftpd_lock_t;
 104 files_lock_file(ftpd_lock_t)
 105
 106 type ftpd_tmp_t;
 107 files_tmp_file(ftpd_tmp_t)
 108
 109 type ftpd_tmpfs_t;
 110 files_tmpfs_file(ftpd_tmpfs_t)
 111
 112 type ftpd_var_run_t;
 113 files_pid_file(ftpd_var_run_t)
 114
 115 type ftpdctl_t;
 116 type ftpdctl_exec_t;
 117 init_system_domain(ftpdctl_t, ftpdctl_exec_t)
 118
 119 type ftpdctl_tmp_t;
 120 files_tmp_file(ftpdctl_tmp_t)
 121
 122 type sftpd_t;
 123 domain_type(sftpd_t)
 124 role system_r types sftpd_t;
 125
 126 type xferlog_t;
 127 logging_log_file(xferlog_t)
 128
 129 ifdef(`enable_mcs',`
 130         init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
 131 ')
 132
 133 ifdef(`enable_mls',`
 134         init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
 135 ')
 136
 137 ########################################
 138 #
 139 # anon-sftp local policy
 140 #
 141
 142 files_read_etc_files(anon_sftpd_t)
 143
 144 miscfiles_read_public_files(anon_sftpd_t)
 145
 146 tunable_policy(`sftpd_anon_write',`
 147         miscfiles_manage_public_files(anon_sftpd_t)
 148 ')
 149
 150 ########################################
 151 #
 152 # ftpd local policy
 153 #
 154
 155 allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
 156 dontaudit ftpd_t self:capability sys_tty_config;
 157 allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
 158 allow ftpd_t self:fifo_file rw_fifo_file_perms;
 159 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 160 allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
 161 allow ftpd_t self:tcp_socket create_stream_socket_perms;
 162 allow ftpd_t self:udp_socket create_socket_perms;
 163 allow ftpd_t self:shm create_shm_perms;
 164 allow ftpd_t self:key manage_key_perms;
 165
 166 allow ftpd_t ftpd_etc_t:file read_file_perms;
 167
 168 allow ftpd_t ftpd_lock_t:file manage_file_perms;
 169 files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 170
 171 manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
 172 manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
 173
 174 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 175 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 176 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 177 manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 178 manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 179 fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 180
 181 manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 182 manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 183 manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 184 files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
 185
 186 # proftpd requires the client side to bind a socket so that
 187 # it can stat the socket to perform access control decisions,
 188 # since getsockopt with SO_PEERCRED is not available on all
 189 # proftpd-supported OSs
 190 allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
 191
 192 # Create and modify /var/log/xferlog.
 193 manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
 194 logging_log_filetrans(ftpd_t, xferlog_t, file)
 195
 196 kernel_read_kernel_sysctls(ftpd_t)
 197 kernel_read_system_state(ftpd_t)
 198 kernel_search_network_state(ftpd_t)
 199
 200 dev_read_sysfs(ftpd_t)
 201 dev_read_urand(ftpd_t)
 202
 203 corecmd_exec_bin(ftpd_t)
 204
 205 corenet_all_recvfrom_unlabeled(ftpd_t)
 206 corenet_all_recvfrom_netlabel(ftpd_t)
 207 corenet_tcp_sendrecv_generic_if(ftpd_t)
 208 corenet_udp_sendrecv_generic_if(ftpd_t)
 209 corenet_tcp_sendrecv_generic_node(ftpd_t)
 210 corenet_udp_sendrecv_generic_node(ftpd_t)
 211 corenet_tcp_sendrecv_all_ports(ftpd_t)
 212 corenet_udp_sendrecv_all_ports(ftpd_t)
 213 corenet_tcp_bind_generic_node(ftpd_t)
 214 corenet_tcp_bind_ftp_port(ftpd_t)
 215 corenet_tcp_bind_ftp_data_port(ftpd_t)
 216 corenet_tcp_bind_generic_port(ftpd_t)
 217 corenet_tcp_bind_all_unreserved_ports(ftpd_t)
 218 corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
 219 corenet_tcp_connect_all_ports(ftpd_t)
 220 corenet_sendrecv_ftp_server_packets(ftpd_t)
 221
 222 domain_use_interactive_fds(ftpd_t)
 223
 224 files_search_etc(ftpd_t)
 225 files_read_etc_files(ftpd_t)
 226 files_read_etc_runtime_files(ftpd_t)
 227 files_search_var_lib(ftpd_t)
 228
 229 fs_search_auto_mountpoints(ftpd_t)
 230 fs_getattr_all_fs(ftpd_t)
 231 fs_search_fusefs(ftpd_t)
 232
 233 auth_use_nsswitch(ftpd_t)
 234 auth_domtrans_chk_passwd(ftpd_t)
 235 # Append to /var/log/wtmp.
 236 auth_append_login_records(ftpd_t)
 237 #kerberized ftp requires the following
 238 auth_write_login_records(ftpd_t)
 239 auth_rw_faillog(ftpd_t)
 240
 241 init_rw_utmp(ftpd_t)
 242
 243 logging_send_audit_msgs(ftpd_t)
 244 logging_send_syslog_msg(ftpd_t)
 245 logging_set_loginuid(ftpd_t)
 246
 247 miscfiles_read_localization(ftpd_t)
 248 miscfiles_read_public_files(ftpd_t)
 249
 250 seutil_dontaudit_search_config(ftpd_t)
 251
 252 sysnet_read_config(ftpd_t)
 253 sysnet_use_ldap(ftpd_t)
 254
 255 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 256 userdom_dontaudit_search_user_home_dirs(ftpd_t)
 257
 258 tunable_policy(`allow_ftpd_anon_write',`
 259         miscfiles_manage_public_files(ftpd_t)
 260 ')
 261
 262 tunable_policy(`allow_ftpd_use_cifs',`
 263         fs_read_cifs_files(ftpd_t)
 264         fs_read_cifs_symlinks(ftpd_t)
 265 ')
 266
 267 tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
 268         fs_manage_cifs_files(ftpd_t)
 269 ')
 270
 271 tunable_policy(`allow_ftpd_use_nfs',`
 272         fs_read_nfs_files(ftpd_t)
 273         fs_read_nfs_symlinks(ftpd_t)
 274 ')
 275
 276 tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
 277         fs_manage_nfs_files(ftpd_t)
 278 ')
 279
 280 tunable_policy(`allow_ftpd_full_access',`
 281         allow ftpd_t self:capability { dac_override dac_read_search };
 282         auth_manage_all_files_except_shadow(ftpd_t)
 283 ')
 284
 285 tunable_policy(`ftp_home_dir',`
 286         allow ftpd_t self:capability { dac_override dac_read_search };
 287
 288         # allow access to /home
 289         files_list_home(ftpd_t)
 290         userdom_read_user_home_content_files(ftpd_t)
 291         userdom_manage_user_home_content(ftpd_t)
 292         userdom_manage_user_tmp_files(ftpd_t)
 293         userdom_tmp_filetrans_user_tmp(ftpd_t, file)
 294 ', `
 295    # Needed for permissive mode, to make sure everything gets labeled correctly
 296    userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
 297    files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
 298 ')
 299
 300 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
 301         fs_manage_nfs_files(ftpd_t)
 302         fs_read_nfs_symlinks(ftpd_t)
 303 ')
 304
 305 tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
 306         fs_manage_cifs_files(ftpd_t)
 307         fs_read_cifs_symlinks(ftpd_t)
 308 ')
 309
 310 optional_policy(`
 311         tunable_policy(`ftp_home_dir',`
 312                 apache_search_sys_content(ftpd_t)
 313         ')
 314 ')
 315
 316 optional_policy(`
 317         corecmd_exec_shell(ftpd_t)
 318
 319         files_read_usr_files(ftpd_t)
 320
 321         cron_system_entry(ftpd_t, ftpd_exec_t)
 322
 323         optional_policy(`
 324                 logrotate_exec(ftpd_t)
 325         ')
 326 ')
 327
 328 optional_policy(`
 329         daemontools_service_domain(ftpd_t, ftpd_exec_t)
 330 ')
 331
 332 optional_policy(`
 333         selinux_validate_context(ftpd_t)
 334
 335         kerberos_keytab_template(ftpd, ftpd_t)
 336         kerberos_manage_host_rcache(ftpd_t)
 337 ')
 338
 339 optional_policy(`
 340         tunable_policy(`ftpd_connect_db',`
 341                 mysql_stream_connect(ftpd_t)
 342         ')
 343 ')
 344
 345 optional_policy(`
 346         tunable_policy(`ftpd_connect_db',`
 347                 postgresql_stream_connect(ftpd_t)
 348         ')
 349 ')
 350
 351 tunable_policy(`ftpd_connect_db',`
 352         corenet_tcp_connect_mysqld_port(ftpd_t)
 353         corenet_tcp_connect_postgresql_port(ftpd_t)
 354 ')
 355
 356 optional_policy(`
 357         inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
 358
 359         optional_policy(`
 360                 tcpd_domtrans(tcpd_t)
 361         ')
 362 ')
 363
 364 optional_policy(`
 365         dbus_system_bus_client(ftpd_t)
 366
 367         optional_policy(`
 368                 oddjob_dbus_chat(ftpd_t)
 369                 oddjob_domtrans_mkhomedir(ftpd_t)
 370         ')
 371 ')
 372
 373 optional_policy(`
 374         seutil_sigchld_newrole(ftpd_t)
 375 ')
 376
 377 optional_policy(`
 378         udev_read_db(ftpd_t)
 379 ')
 380
 381 ########################################
 382 #
 383 # ftpdctl local policy
 384 #
 385
 386 # Allow ftpdctl to talk to ftpd over a socket connection
 387 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
 388
 389 # ftpdctl creates a socket so that the daemon can perform
 390 # access control decisions (see comments in ftpd_t rules above)
 391 allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
 392 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 393
 394 # Allow ftpdctl to read config files
 395 files_read_etc_files(ftpdctl_t)
 396
 397 userdom_use_user_terminals(ftpdctl_t)
 398
 399 ########################################
 400 #
 401 # sftpd local policy
 402 #
 403 files_read_etc_files(sftpd_t)
 404
 405 # allow read access to /home by default
 406 userdom_read_user_home_content_files(sftpd_t)
 407 userdom_read_user_home_content_symlinks(sftpd_t)
 408 userdom_dontaudit_list_admin_dir(sftpd_t)
 409
 410 tunable_policy(`sftpd_full_access',`
 411     allow sftpd_t self:capability { dac_override dac_read_search };
 412     fs_read_noxattr_fs_files(sftpd_t)
 413     auth_manage_all_files_except_shadow(sftpd_t)
 414 ')
 415
 416 tunable_policy(`sftpd_write_ssh_home',`
 417     ssh_manage_home_files(sftpd_t)
 418 ')
 419
 420 tunable_policy(`sftpd_enable_homedirs',`
 421         allow sftpd_t self:capability { dac_override dac_read_search };
 422
 423         # allow access to /home
 424         files_list_home(sftpd_t)
 425         userdom_read_user_home_content_files(sftpd_t)
 426         userdom_manage_user_home_content(sftpd_t)
 427 ', `
 428    # Needed for permissive mode, to make sure everything gets labeled correctly
 429    userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
 430 ')
 431
 432 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
 433         fs_manage_nfs_dirs(sftpd_t)
 434         fs_manage_nfs_files(sftpd_t)
 435         fs_manage_nfs_symlinks(sftpd_t)
 436 ')
 437
 438 tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
 439         fs_manage_cifs_dirs(sftpd_t)
 440         fs_manage_cifs_files(sftpd_t)
 441         fs_manage_cifs_symlinks(sftpd_t)
 442 ')
 443
 444 tunable_policy(`sftpd_full_access',`
 445         allow sftpd_t self:capability { dac_override dac_read_search };
 446         fs_read_noxattr_fs_files(sftpd_t)
 447         auth_manage_all_files_except_shadow(sftpd_t)
 448 ')
 449
 450 tunable_policy(`use_samba_home_dirs',`
 451         # allow read access to /home by default
 452         fs_list_cifs(sftpd_t)
 453         fs_read_cifs_files(sftpd_t)
 454         fs_read_cifs_symlinks(sftpd_t)
 455 ')
 456
 457 tunable_policy(`use_nfs_home_dirs',`
 458         # allow read access to /home by default
 459         fs_list_nfs(sftpd_t)
 460         fs_read_nfs_files(sftpd_t)
 461         fs_read_nfs_symlinks(ftpd_t)
 462 ')