FTP patch from Dan Walsh.
This commit is contained in:
parent
d7ebbd9d22
commit
a53c6c65a4
@ -22,7 +22,7 @@
|
|||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
#
|
#
|
||||||
/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0)
|
/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
|
||||||
|
|
||||||
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
|
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
|
||||||
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
|
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
|
||||||
|
@ -1,5 +1,23 @@
|
|||||||
## <summary>File transfer protocol service</summary>
|
## <summary>File transfer protocol service</summary>
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Allow domain dyntransition to sftpd_anon domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`ftp_dyntrans_anon_sftpd',`
|
||||||
|
gen_require(`
|
||||||
|
type anon_sftpd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dyntrans_pattern($1, anon_sftpd_t);
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Use ftp by connecting over TCP. (Deprecated)
|
## Use ftp by connecting over TCP. (Deprecated)
|
||||||
@ -115,6 +133,24 @@ interface(`ftp_run_ftpdctl',`
|
|||||||
role $2 types ftpdctl_t;
|
role $2 types ftpdctl_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Allow domain dyntransition to sftpd domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`ftp_dyntrans_sftpd',`
|
||||||
|
gen_require(`
|
||||||
|
type sftpd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dyntrans_pattern($1, sftpd_t);
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## All of the rules required to administrate
|
## All of the rules required to administrate
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(ftp, 1.11.0)
|
policy_module(ftp, 1.11.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -46,6 +46,36 @@ gen_tunable(allow_ftpd_use_nfs, false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(ftp_home_dir, false)
|
gen_tunable(ftp_home_dir, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow anon internal-sftp to upload files, used for
|
||||||
|
## public file transfer services. Directories must be labeled
|
||||||
|
## public_content_rw_t.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(sftpd_anon_write, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow sftp-internal to read and write files
|
||||||
|
## in the user home directories
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(sftpd_enable_homedirs, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow sftp-internal to login to local users and
|
||||||
|
## read/write all files on the system, governed by DAC.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(sftpd_full_access, false)
|
||||||
|
|
||||||
|
type anon_sftpd_t;
|
||||||
|
typealias anon_sftpd_t alias sftpd_anon_t;
|
||||||
|
domain_type(anon_sftpd_t)
|
||||||
|
role system_r types anon_sftpd_t;
|
||||||
|
|
||||||
type ftpd_t;
|
type ftpd_t;
|
||||||
type ftpd_exec_t;
|
type ftpd_exec_t;
|
||||||
init_daemon_domain(ftpd_t, ftpd_exec_t)
|
init_daemon_domain(ftpd_t, ftpd_exec_t)
|
||||||
@ -75,9 +105,30 @@ init_system_domain(ftpdctl_t, ftpdctl_exec_t)
|
|||||||
type ftpdctl_tmp_t;
|
type ftpdctl_tmp_t;
|
||||||
files_tmp_file(ftpdctl_tmp_t)
|
files_tmp_file(ftpdctl_tmp_t)
|
||||||
|
|
||||||
|
type sftpd_t;
|
||||||
|
domain_type(sftpd_t)
|
||||||
|
role system_r types sftpd_t;
|
||||||
|
|
||||||
type xferlog_t;
|
type xferlog_t;
|
||||||
logging_log_file(xferlog_t)
|
logging_log_file(xferlog_t)
|
||||||
|
|
||||||
|
ifdef(`enable_mcs',`
|
||||||
|
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# anon-sftp local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
files_read_etc_files(anon_sftpd_t)
|
||||||
|
|
||||||
|
miscfiles_read_public_files(anon_sftpd_t)
|
||||||
|
|
||||||
|
tunable_policy(`sftpd_anon_write',`
|
||||||
|
miscfiles_manage_public_files(anon_sftpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# ftpd local policy
|
# ftpd local policy
|
||||||
@ -85,13 +136,14 @@ logging_log_file(xferlog_t)
|
|||||||
|
|
||||||
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
|
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
|
||||||
dontaudit ftpd_t self:capability sys_tty_config;
|
dontaudit ftpd_t self:capability sys_tty_config;
|
||||||
allow ftpd_t self:process signal_perms;
|
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
||||||
allow ftpd_t self:process { getcap setcap setsched setrlimit };
|
|
||||||
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||||
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow ftpd_t self:udp_socket create_socket_perms;
|
allow ftpd_t self:udp_socket create_socket_perms;
|
||||||
|
allow ftpd_t self:shm create_shm_perms;
|
||||||
|
allow ftpd_t self:key manage_key_perms;
|
||||||
|
|
||||||
allow ftpd_t ftpd_etc_t:file read_file_perms;
|
allow ftpd_t ftpd_etc_t:file read_file_perms;
|
||||||
|
|
||||||
@ -121,8 +173,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
|
|||||||
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
|
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
|
||||||
|
|
||||||
# Create and modify /var/log/xferlog.
|
# Create and modify /var/log/xferlog.
|
||||||
allow ftpd_t xferlog_t:dir search_dir_perms;
|
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
||||||
allow ftpd_t xferlog_t:file manage_file_perms;
|
|
||||||
logging_log_filetrans(ftpd_t, xferlog_t, file)
|
logging_log_filetrans(ftpd_t, xferlog_t, file)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(ftpd_t)
|
kernel_read_kernel_sysctls(ftpd_t)
|
||||||
@ -160,6 +211,7 @@ files_search_var_lib(ftpd_t)
|
|||||||
|
|
||||||
fs_search_auto_mountpoints(ftpd_t)
|
fs_search_auto_mountpoints(ftpd_t)
|
||||||
fs_getattr_all_fs(ftpd_t)
|
fs_getattr_all_fs(ftpd_t)
|
||||||
|
fs_search_fusefs(ftpd_t)
|
||||||
|
|
||||||
auth_use_nsswitch(ftpd_t)
|
auth_use_nsswitch(ftpd_t)
|
||||||
auth_domtrans_chk_passwd(ftpd_t)
|
auth_domtrans_chk_passwd(ftpd_t)
|
||||||
@ -258,7 +310,10 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_read_keytab(ftpd_t)
|
selinux_validate_context(ftpd_t)
|
||||||
|
|
||||||
|
kerberos_keytab_template(ftpd, ftpd_t)
|
||||||
|
kerberos_manage_host_rcache(ftpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -269,6 +324,15 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
dbus_system_bus_client(ftpd_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
oddjob_dbus_chat(ftpd_t)
|
||||||
|
oddjob_domtrans_mkhomedir(ftpd_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(ftpd_t)
|
seutil_sigchld_newrole(ftpd_t)
|
||||||
')
|
')
|
||||||
@ -294,3 +358,56 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
|||||||
files_read_etc_files(ftpdctl_t)
|
files_read_etc_files(ftpdctl_t)
|
||||||
|
|
||||||
userdom_use_user_terminals(ftpdctl_t)
|
userdom_use_user_terminals(ftpdctl_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# sftpd local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
files_read_etc_files(sftpd_t)
|
||||||
|
|
||||||
|
# allow read access to /home by default
|
||||||
|
userdom_read_user_home_content_files(sftpd_t)
|
||||||
|
userdom_read_user_home_content_symlinks(sftpd_t)
|
||||||
|
|
||||||
|
tunable_policy(`sftpd_enable_homedirs',`
|
||||||
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
||||||
|
|
||||||
|
# allow access to /home
|
||||||
|
files_list_home(sftpd_t)
|
||||||
|
userdom_manage_user_home_content_files(sftpd_t)
|
||||||
|
userdom_manage_user_home_content_dirs(sftpd_t)
|
||||||
|
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
|
fs_manage_nfs_dirs(sftpd_t)
|
||||||
|
fs_manage_nfs_files(sftpd_t)
|
||||||
|
fs_manage_nfs_symlinks(sftpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
|
fs_manage_cifs_dirs(sftpd_t)
|
||||||
|
fs_manage_cifs_files(sftpd_t)
|
||||||
|
fs_manage_cifs_symlinks(sftpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`sftpd_full_access',`
|
||||||
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
||||||
|
fs_read_noxattr_fs_files(sftpd_t)
|
||||||
|
auth_manage_all_files_except_shadow(sftpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
# allow read access to /home by default
|
||||||
|
fs_list_cifs(sftpd_t)
|
||||||
|
fs_read_cifs_files(sftpd_t)
|
||||||
|
fs_read_cifs_symlinks(sftpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
# allow read access to /home by default
|
||||||
|
fs_list_nfs(sftpd_t)
|
||||||
|
fs_read_nfs_files(sftpd_t)
|
||||||
|
fs_read_nfs_symlinks(ftpd_t)
|
||||||
|
')
|
||||||
|
@ -38,6 +38,15 @@ define(`domtrans_pattern',`
|
|||||||
allow $3 $1:process sigchld;
|
allow $3 $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Dynamic transition pattern
|
||||||
|
#
|
||||||
|
define(`dyntrans_pattern',`
|
||||||
|
allow $1 self:process setcurrent;
|
||||||
|
allow $1 $2:process dyntransition;
|
||||||
|
allow $2 $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
# Other process permissions
|
# Other process permissions
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user