1 policy_module(ftp, 1.12.0)
3 ########################################
10 ## Allow ftp servers to upload files, used for public file
11 ## transfer services. Directories must be labeled
12 ## public_content_rw_t.
15 gen_tunable(allow_ftpd_anon_write, false)
19 ## Allow ftp servers to login to local users and
20 ## read/write all files on the system, governed by DAC.
23 gen_tunable(allow_ftpd_full_access, false)
27 ## Allow ftp servers to use cifs
28 ## used for public file transfer services.
31 gen_tunable(allow_ftpd_use_cifs, false)
35 ## Allow ftp servers to use nfs
36 ## used for public file transfer services.
39 gen_tunable(allow_ftpd_use_nfs, false)
43 ## Allow ftp servers to use connect to mysql database
46 gen_tunable(ftpd_connect_db, false)
50 ## Allow ftp to read and write files in the user home directories
53 gen_tunable(ftp_home_dir, false)
57 ## Allow anon internal-sftp to upload files, used for
58 ## public file transfer services. Directories must be labeled
59 ## public_content_rw_t.
62 gen_tunable(sftpd_anon_write, false)
66 ## Allow sftp-internal to read and write files
67 ## in the user home directories
70 gen_tunable(sftpd_enable_homedirs, false)
74 ## Allow sftp-internal to login to local users and
75 ## read/write all files on the system, governed by DAC.
78 gen_tunable(sftpd_full_access, false)
82 ## Allow interlnal-sftp to read and write files
83 ## in the user ssh home directories.
86 gen_tunable(sftpd_write_ssh_home, false)
89 typealias anon_sftpd_t alias sftpd_anon_t;
90 domain_type(anon_sftpd_t)
91 role system_r types anon_sftpd_t;
95 init_daemon_domain(ftpd_t, ftpd_exec_t)
98 files_config_file(ftpd_etc_t)
100 type ftpd_initrc_exec_t;
101 init_script_file(ftpd_initrc_exec_t)
104 files_lock_file(ftpd_lock_t)
107 files_tmp_file(ftpd_tmp_t)
110 files_tmpfs_file(ftpd_tmpfs_t)
113 files_pid_file(ftpd_var_run_t)
117 init_system_domain(ftpdctl_t, ftpdctl_exec_t)
120 files_tmp_file(ftpdctl_tmp_t)
124 role system_r types sftpd_t;
127 logging_log_file(xferlog_t)
130 init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
134 init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
137 ########################################
139 # anon-sftp local policy
142 files_read_etc_files(anon_sftpd_t)
144 miscfiles_read_public_files(anon_sftpd_t)
146 tunable_policy(`sftpd_anon_write',`
147 miscfiles_manage_public_files(anon_sftpd_t)
150 ########################################
155 allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
156 dontaudit ftpd_t self:capability sys_tty_config;
157 allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
158 allow ftpd_t self:fifo_file rw_fifo_file_perms;
159 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
160 allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
161 allow ftpd_t self:tcp_socket create_stream_socket_perms;
162 allow ftpd_t self:udp_socket create_socket_perms;
163 allow ftpd_t self:shm create_shm_perms;
164 allow ftpd_t self:key manage_key_perms;
166 allow ftpd_t ftpd_etc_t:file read_file_perms;
168 allow ftpd_t ftpd_lock_t:file manage_file_perms;
169 files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
171 manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
172 manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
174 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
175 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
176 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
177 manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
178 manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
179 fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
181 manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
182 manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
183 manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
184 files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
186 # proftpd requires the client side to bind a socket so that
187 # it can stat the socket to perform access control decisions,
188 # since getsockopt with SO_PEERCRED is not available on all
189 # proftpd-supported OSs
190 allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
192 # Create and modify /var/log/xferlog.
193 manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
194 logging_log_filetrans(ftpd_t, xferlog_t, file)
196 kernel_read_kernel_sysctls(ftpd_t)
197 kernel_read_system_state(ftpd_t)
198 kernel_search_network_state(ftpd_t)
200 dev_read_sysfs(ftpd_t)
201 dev_read_urand(ftpd_t)
203 corecmd_exec_bin(ftpd_t)
205 corenet_all_recvfrom_unlabeled(ftpd_t)
206 corenet_all_recvfrom_netlabel(ftpd_t)
207 corenet_tcp_sendrecv_generic_if(ftpd_t)
208 corenet_udp_sendrecv_generic_if(ftpd_t)
209 corenet_tcp_sendrecv_generic_node(ftpd_t)
210 corenet_udp_sendrecv_generic_node(ftpd_t)
211 corenet_tcp_sendrecv_all_ports(ftpd_t)
212 corenet_udp_sendrecv_all_ports(ftpd_t)
213 corenet_tcp_bind_generic_node(ftpd_t)
214 corenet_tcp_bind_ftp_port(ftpd_t)
215 corenet_tcp_bind_ftp_data_port(ftpd_t)
216 corenet_tcp_bind_generic_port(ftpd_t)
217 corenet_tcp_bind_all_unreserved_ports(ftpd_t)
218 corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
219 corenet_tcp_connect_all_ports(ftpd_t)
220 corenet_sendrecv_ftp_server_packets(ftpd_t)
222 domain_use_interactive_fds(ftpd_t)
224 files_search_etc(ftpd_t)
225 files_read_etc_files(ftpd_t)
226 files_read_etc_runtime_files(ftpd_t)
227 files_search_var_lib(ftpd_t)
229 fs_search_auto_mountpoints(ftpd_t)
230 fs_getattr_all_fs(ftpd_t)
231 fs_search_fusefs(ftpd_t)
233 auth_use_nsswitch(ftpd_t)
234 auth_domtrans_chk_passwd(ftpd_t)
235 # Append to /var/log/wtmp.
236 auth_append_login_records(ftpd_t)
237 #kerberized ftp requires the following
238 auth_write_login_records(ftpd_t)
239 auth_rw_faillog(ftpd_t)
243 logging_send_audit_msgs(ftpd_t)
244 logging_send_syslog_msg(ftpd_t)
245 logging_set_loginuid(ftpd_t)
247 miscfiles_read_localization(ftpd_t)
248 miscfiles_read_public_files(ftpd_t)
250 seutil_dontaudit_search_config(ftpd_t)
252 sysnet_read_config(ftpd_t)
253 sysnet_use_ldap(ftpd_t)
255 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
256 userdom_dontaudit_search_user_home_dirs(ftpd_t)
258 tunable_policy(`allow_ftpd_anon_write',`
259 miscfiles_manage_public_files(ftpd_t)
262 tunable_policy(`allow_ftpd_use_cifs',`
263 fs_read_cifs_files(ftpd_t)
264 fs_read_cifs_symlinks(ftpd_t)
267 tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
268 fs_manage_cifs_files(ftpd_t)
271 tunable_policy(`allow_ftpd_use_nfs',`
272 fs_read_nfs_files(ftpd_t)
273 fs_read_nfs_symlinks(ftpd_t)
276 tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
277 fs_manage_nfs_files(ftpd_t)
280 tunable_policy(`allow_ftpd_full_access',`
281 allow ftpd_t self:capability { dac_override dac_read_search };
282 auth_manage_all_files_except_shadow(ftpd_t)
285 tunable_policy(`ftp_home_dir',`
286 allow ftpd_t self:capability { dac_override dac_read_search };
288 # allow access to /home
289 files_list_home(ftpd_t)
290 userdom_read_user_home_content_files(ftpd_t)
291 userdom_manage_user_home_content(ftpd_t)
292 userdom_manage_user_tmp_files(ftpd_t)
293 userdom_tmp_filetrans_user_tmp(ftpd_t, file)
295 # Needed for permissive mode, to make sure everything gets labeled correctly
296 userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
297 files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
300 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
301 fs_manage_nfs_files(ftpd_t)
302 fs_read_nfs_symlinks(ftpd_t)
305 tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
306 fs_manage_cifs_files(ftpd_t)
307 fs_read_cifs_symlinks(ftpd_t)
311 tunable_policy(`ftp_home_dir',`
312 apache_search_sys_content(ftpd_t)
317 corecmd_exec_shell(ftpd_t)
319 files_read_usr_files(ftpd_t)
321 cron_system_entry(ftpd_t, ftpd_exec_t)
324 logrotate_exec(ftpd_t)
329 daemontools_service_domain(ftpd_t, ftpd_exec_t)
333 selinux_validate_context(ftpd_t)
335 kerberos_keytab_template(ftpd, ftpd_t)
336 kerberos_manage_host_rcache(ftpd_t)
340 tunable_policy(`ftpd_connect_db',`
341 mysql_stream_connect(ftpd_t)
346 tunable_policy(`ftpd_connect_db',`
347 postgresql_stream_connect(ftpd_t)
351 tunable_policy(`ftpd_connect_db',`
352 corenet_tcp_connect_mysqld_port(ftpd_t)
353 corenet_tcp_connect_postgresql_port(ftpd_t)
357 inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
360 tcpd_domtrans(tcpd_t)
365 dbus_system_bus_client(ftpd_t)
368 oddjob_dbus_chat(ftpd_t)
369 oddjob_domtrans_mkhomedir(ftpd_t)
374 seutil_sigchld_newrole(ftpd_t)
381 ########################################
383 # ftpdctl local policy
386 # Allow ftpdctl to talk to ftpd over a socket connection
387 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
389 # ftpdctl creates a socket so that the daemon can perform
390 # access control decisions (see comments in ftpd_t rules above)
391 allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
392 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
394 # Allow ftpdctl to read config files
395 files_read_etc_files(ftpdctl_t)
397 userdom_use_user_terminals(ftpdctl_t)
399 ########################################
403 files_read_etc_files(sftpd_t)
405 # allow read access to /home by default
406 userdom_read_user_home_content_files(sftpd_t)
407 userdom_read_user_home_content_symlinks(sftpd_t)
408 userdom_dontaudit_list_admin_dir(sftpd_t)
410 tunable_policy(`sftpd_full_access',`
411 allow sftpd_t self:capability { dac_override dac_read_search };
412 fs_read_noxattr_fs_files(sftpd_t)
413 auth_manage_all_files_except_shadow(sftpd_t)
416 tunable_policy(`sftpd_write_ssh_home',`
417 ssh_manage_home_files(sftpd_t)
420 tunable_policy(`sftpd_enable_homedirs',`
421 allow sftpd_t self:capability { dac_override dac_read_search };
423 # allow access to /home
424 files_list_home(sftpd_t)
425 userdom_read_user_home_content_files(sftpd_t)
426 userdom_manage_user_home_content(sftpd_t)
428 # Needed for permissive mode, to make sure everything gets labeled correctly
429 userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
432 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
433 fs_manage_nfs_dirs(sftpd_t)
434 fs_manage_nfs_files(sftpd_t)
435 fs_manage_nfs_symlinks(sftpd_t)
438 tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
439 fs_manage_cifs_dirs(sftpd_t)
440 fs_manage_cifs_files(sftpd_t)
441 fs_manage_cifs_symlinks(sftpd_t)
444 tunable_policy(`sftpd_full_access',`
445 allow sftpd_t self:capability { dac_override dac_read_search };
446 fs_read_noxattr_fs_files(sftpd_t)
447 auth_manage_all_files_except_shadow(sftpd_t)
450 tunable_policy(`use_samba_home_dirs',`
451 # allow read access to /home by default
452 fs_list_cifs(sftpd_t)
453 fs_read_cifs_files(sftpd_t)
454 fs_read_cifs_symlinks(sftpd_t)
457 tunable_policy(`use_nfs_home_dirs',`
458 # allow read access to /home by default
460 fs_read_nfs_files(sftpd_t)
461 fs_read_nfs_symlinks(ftpd_t)