FTP patch from Dan Walsh.

This commit is contained in:
Chris PeBenito 2010-04-26 15:15:23 -04:00
parent d7ebbd9d22
commit a53c6c65a4
4 changed files with 171 additions and 9 deletions

View File

@ -22,7 +22,7 @@
# #
# /var # /var
# #
/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0) /var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)

View File

@ -1,5 +1,23 @@
## <summary>File transfer protocol service</summary> ## <summary>File transfer protocol service</summary>
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_dyntrans_anon_sftpd',`
gen_require(`
type anon_sftpd_t;
')
dyntrans_pattern($1, anon_sftpd_t);
')
######################################## ########################################
## <summary> ## <summary>
## Use ftp by connecting over TCP. (Deprecated) ## Use ftp by connecting over TCP. (Deprecated)
@ -115,6 +133,24 @@ interface(`ftp_run_ftpdctl',`
role $2 types ftpdctl_t; role $2 types ftpdctl_t;
') ')
#######################################
## <summary>
## Allow domain dyntransition to sftpd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_dyntrans_sftpd',`
gen_require(`
type sftpd_t;
')
dyntrans_pattern($1, sftpd_t);
')
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate

View File

@ -1,5 +1,5 @@
policy_module(ftp, 1.11.0) policy_module(ftp, 1.11.1)
######################################## ########################################
# #
@ -46,6 +46,36 @@ gen_tunable(allow_ftpd_use_nfs, false)
## </desc> ## </desc>
gen_tunable(ftp_home_dir, false) gen_tunable(ftp_home_dir, false)
## <desc>
## <p>
## Allow anon internal-sftp to upload files, used for
## public file transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)
## <desc>
## <p>
## Allow sftp-internal to read and write files
## in the user home directories
## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)
## <desc>
## <p>
## Allow sftp-internal to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(sftpd_full_access, false)
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
role system_r types anon_sftpd_t;
type ftpd_t; type ftpd_t;
type ftpd_exec_t; type ftpd_exec_t;
init_daemon_domain(ftpd_t, ftpd_exec_t) init_daemon_domain(ftpd_t, ftpd_exec_t)
@ -75,9 +105,30 @@ init_system_domain(ftpdctl_t, ftpdctl_exec_t)
type ftpdctl_tmp_t; type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t) files_tmp_file(ftpdctl_tmp_t)
type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;
type xferlog_t; type xferlog_t;
logging_log_file(xferlog_t) logging_log_file(xferlog_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
########################################
#
# anon-sftp local policy
#
files_read_etc_files(anon_sftpd_t)
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
miscfiles_manage_public_files(anon_sftpd_t)
')
######################################## ########################################
# #
# ftpd local policy # ftpd local policy
@ -85,13 +136,14 @@ logging_log_file(xferlog_t)
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config; dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_fifo_file_perms; allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms; allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_etc_t:file read_file_perms;
@ -121,8 +173,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog. # Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:dir search_dir_perms; manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
allow ftpd_t xferlog_t:file manage_file_perms;
logging_log_filetrans(ftpd_t, xferlog_t, file) logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t) kernel_read_kernel_sysctls(ftpd_t)
@ -160,6 +211,7 @@ files_search_var_lib(ftpd_t)
fs_search_auto_mountpoints(ftpd_t) fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t) fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
auth_use_nsswitch(ftpd_t) auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t) auth_domtrans_chk_passwd(ftpd_t)
@ -258,7 +310,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
kerberos_read_keytab(ftpd_t) selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
kerberos_manage_host_rcache(ftpd_t)
') ')
optional_policy(` optional_policy(`
@ -269,6 +324,15 @@ optional_policy(`
') ')
') ')
optional_policy(`
dbus_system_bus_client(ftpd_t)
optional_policy(`
oddjob_dbus_chat(ftpd_t)
oddjob_domtrans_mkhomedir(ftpd_t)
')
')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(ftpd_t) seutil_sigchld_newrole(ftpd_t)
') ')
@ -294,3 +358,56 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
files_read_etc_files(ftpdctl_t) files_read_etc_files(ftpdctl_t)
userdom_use_user_terminals(ftpdctl_t) userdom_use_user_terminals(ftpdctl_t)
########################################
#
# sftpd local policy
#
files_read_etc_files(sftpd_t)
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
tunable_policy(`sftpd_enable_homedirs',`
allow sftpd_t self:capability { dac_override dac_read_search };
# allow access to /home
files_list_home(sftpd_t)
userdom_manage_user_home_content_files(sftpd_t)
userdom_manage_user_home_content_dirs(sftpd_t)
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
fs_manage_nfs_dirs(sftpd_t)
fs_manage_nfs_files(sftpd_t)
fs_manage_nfs_symlinks(sftpd_t)
')
tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
fs_manage_cifs_dirs(sftpd_t)
fs_manage_cifs_files(sftpd_t)
fs_manage_cifs_symlinks(sftpd_t)
')
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
auth_manage_all_files_except_shadow(sftpd_t)
')
tunable_policy(`use_samba_home_dirs',`
# allow read access to /home by default
fs_list_cifs(sftpd_t)
fs_read_cifs_files(sftpd_t)
fs_read_cifs_symlinks(sftpd_t)
')
tunable_policy(`use_nfs_home_dirs',`
# allow read access to /home by default
fs_list_nfs(sftpd_t)
fs_read_nfs_files(sftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')

View File

@ -38,6 +38,15 @@ define(`domtrans_pattern',`
allow $3 $1:process sigchld; allow $3 $1:process sigchld;
') ')
#
# Dynamic transition pattern
#
define(`dyntrans_pattern',`
allow $1 self:process setcurrent;
allow $1 $2:process dyntransition;
allow $2 $1:process sigchld;
')
# #
# Other process permissions # Other process permissions
# #