add ftpdctl from paul howarth
This commit is contained in:
parent
371097ef6f
commit
75fbbb0b48
@ -1,3 +1,4 @@
|
||||
- Add ftpdctl domain to ftp, from Paul Howarth.
|
||||
- Fix build system to not move type declarations out of optionals.
|
||||
- Add gcc-config domain to portage.
|
||||
- Add packet object class and support in corenetwork.
|
||||
|
@ -7,6 +7,8 @@
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
|
||||
|
||||
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
|
||||
/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
|
@ -109,3 +109,26 @@ interface(`ftp_read_log',`
|
||||
logging_search_logs($1)
|
||||
allow $1 xferlog_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the ftpdctl program in the ftpdctl domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ftp_domtrans_ftpdctl',`
|
||||
gen_require(`
|
||||
type ftpdctl_t, ftpdctl_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)
|
||||
|
||||
allow ftpdctl_t $1:fd use;
|
||||
allow ftpdctl_t $1:fifo_file rw_file_perms;
|
||||
allow ftpdctl_t $1:process sigchld;
|
||||
')
|
||||
|
@ -26,12 +26,19 @@ files_tmpfs_file(ftpd_tmpfs_t)
|
||||
type ftpd_var_run_t;
|
||||
files_pid_file(ftpd_var_run_t)
|
||||
|
||||
type ftpdctl_t;
|
||||
type ftpdctl_exec_t;
|
||||
init_system_domain(ftpdctl_t,ftpdctl_exec_t)
|
||||
|
||||
type ftpdctl_tmp_t;
|
||||
files_tmp_file(ftpdctl_tmp_t)
|
||||
|
||||
type xferlog_t;
|
||||
logging_log_file(xferlog_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
# ftpd local policy
|
||||
#
|
||||
|
||||
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
|
||||
@ -40,7 +47,7 @@ allow ftpd_t self:process signal_perms;
|
||||
allow ftpd_t self:process { getcap setcap setsched setrlimit };
|
||||
allow ftpd_t self:fifo_file rw_file_perms;
|
||||
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow ftpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -62,6 +69,12 @@ allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
|
||||
allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms;
|
||||
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
|
||||
|
||||
# proftpd requires the client side to bind a socket so that
|
||||
# it can stat the socket to perform access control decisions,
|
||||
# since getsockopt with SO_PEERCRED is not available on all
|
||||
# proftpd-supported OSs
|
||||
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
allow ftpd_t xferlog_t:dir search_dir_perms;
|
||||
allow ftpd_t xferlog_t:file create_file_perms;
|
||||
@ -234,3 +247,28 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ftpd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# ftpdctl local policy
|
||||
#
|
||||
|
||||
# Allow ftpdctl to talk to ftpd over a socket connection
|
||||
allow ftpdctl_t ftpd_t:unix_stream_socket connectto;
|
||||
allow ftpdctl_t ftpd_var_run_t:dir search;
|
||||
allow ftpdctl_t ftpd_var_run_t:sock_file write;
|
||||
|
||||
# ftpdctl creates a socket so that the daemon can perform
|
||||
# access control decisions (see comments in ftpd_t rules above)
|
||||
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
|
||||
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
||||
|
||||
# Allow ftpdctl to read config files
|
||||
files_read_etc_files(ftpdctl_t)
|
||||
|
||||
libs_use_ld_so(ftpdctl_t)
|
||||
libs_use_shared_libs(ftpdctl_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_generic_ptys(ftpdctl_t)
|
||||
')
|
||||
|
@ -105,6 +105,10 @@ ifdef(`targeted_policy',`
|
||||
firstboot_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ftp_domtrans_ftpdctl(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
inn_domtrans(unconfined_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user