FTP patch from Dan Walsh.

2010-04-26 15:15:23 -04:00 · 2010-04-26 15:15:23 -04:00 · a53c6c65a4
commit a53c6c65a4
parent d7ebbd9d22
4 changed files with 171 additions and 9 deletions
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@ -22,7 +22,7 @@
 #
 # /var
 #
-/var/run/proftpd(/.*)? 		gen_context(system_u:object_r:ftpd_var_run_t,s0)
+/var/run/proftpd.* 		gen_context(system_u:object_r:ftpd_var_run_t,s0)

 /var/log/muddleftpd\.log.* --	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/proftpd(/.*)?		gen_context(system_u:object_r:xferlog_t,s0)
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@ -1,5 +1,23 @@
 ## <summary>File transfer protocol service</summary>

+#######################################
+## <summary>
+##	Allow domain dyntransition to sftpd_anon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_dyntrans_anon_sftpd',`
+	gen_require(`
+		type anon_sftpd_t;
+	')
+
+	dyntrans_pattern($1, anon_sftpd_t);
+')
+
 ########################################
 ## <summary>
 ##	Use ftp by connecting over TCP.  (Deprecated)
@ -115,6 +133,24 @@ interface(`ftp_run_ftpdctl',`
 	role $2 types ftpdctl_t;
 ')

+#######################################
+## <summary>
+##	Allow domain dyntransition to sftpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_dyntrans_sftpd',`
+	gen_require(`
+		type sftpd_t;
+	')
+
+	dyntrans_pattern($1, sftpd_t);
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@ -1,5 +1,5 @@

-policy_module(ftp, 1.11.0)
+policy_module(ftp, 1.11.1)

 ########################################
 #
@ -46,6 +46,36 @@ gen_tunable(allow_ftpd_use_nfs, false)
 ## </desc>
 gen_tunable(ftp_home_dir, false)

+## <desc>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(sftpd_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(sftpd_full_access, false)
+
+type anon_sftpd_t;
+typealias anon_sftpd_t alias sftpd_anon_t;
+domain_type(anon_sftpd_t)
+role system_r types anon_sftpd_t;
+
 type ftpd_t;
 type ftpd_exec_t;
 init_daemon_domain(ftpd_t, ftpd_exec_t)
@ -75,9 +105,30 @@ init_system_domain(ftpdctl_t, ftpdctl_exec_t)
 type ftpdctl_tmp_t;
 files_tmp_file(ftpdctl_tmp_t)

+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
 type xferlog_t;
 logging_log_file(xferlog_t)

+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# anon-sftp local policy
+#
+
+files_read_etc_files(anon_sftpd_t)
+
+miscfiles_read_public_files(anon_sftpd_t)
+
+tunable_policy(`sftpd_anon_write',`
+	miscfiles_manage_public_files(anon_sftpd_t)
+')
+
 ########################################
 #
 # ftpd local policy
@ -85,13 +136,14 @@ logging_log_file(xferlog_t)

 allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit ftpd_t self:capability sys_tty_config;
-allow ftpd_t self:process signal_perms;
-allow ftpd_t self:process { getcap setcap setsched setrlimit };
+allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
 allow ftpd_t self:fifo_file rw_fifo_file_perms;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
 allow ftpd_t self:tcp_socket create_stream_socket_perms;
 allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
+allow ftpd_t self:key manage_key_perms;

 allow ftpd_t ftpd_etc_t:file read_file_perms;

@ -121,8 +173,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
 allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };

 # Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file manage_file_perms;
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
 logging_log_filetrans(ftpd_t, xferlog_t, file)

 kernel_read_kernel_sysctls(ftpd_t)
@ -160,6 +211,7 @@ files_search_var_lib(ftpd_t)

 fs_search_auto_mountpoints(ftpd_t)
 fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs(ftpd_t)

 auth_use_nsswitch(ftpd_t)
 auth_domtrans_chk_passwd(ftpd_t)
@ -258,7 +310,10 @@ optional_policy(`
 ')

 optional_policy(`
-	kerberos_read_keytab(ftpd_t)
+	selinux_validate_context(ftpd_t)
+
+	kerberos_keytab_template(ftpd, ftpd_t)
+	kerberos_manage_host_rcache(ftpd_t)
 ')

 optional_policy(`
@ -269,6 +324,15 @@ optional_policy(`
 	')
 ')

+optional_policy(`
+	dbus_system_bus_client(ftpd_t)
+
+	optional_policy(`
+		oddjob_dbus_chat(ftpd_t)
+		oddjob_domtrans_mkhomedir(ftpd_t)
+	')
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(ftpd_t)
 ')
@ -294,3 +358,56 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 files_read_etc_files(ftpdctl_t)

 userdom_use_user_terminals(ftpdctl_t)
+
+########################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+
+tunable_policy(`sftpd_enable_homedirs',`
+	allow sftpd_t self:capability { dac_override dac_read_search };
+
+	# allow access to /home
+	files_list_home(sftpd_t)
+	userdom_manage_user_home_content_files(sftpd_t)
+	userdom_manage_user_home_content_dirs(sftpd_t)
+	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(sftpd_t)
+	fs_manage_nfs_files(sftpd_t)
+	fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+	fs_manage_cifs_dirs(sftpd_t)
+	fs_manage_cifs_files(sftpd_t)
+	fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_full_access',`
+	allow sftpd_t self:capability { dac_override dac_read_search };
+	fs_read_noxattr_fs_files(sftpd_t)
+	auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	# allow read access to /home by default
+	fs_list_cifs(sftpd_t)
+	fs_read_cifs_files(sftpd_t)
+	fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	# allow read access to /home by default
+	fs_list_nfs(sftpd_t)
+	fs_read_nfs_files(sftpd_t)
+	fs_read_nfs_symlinks(ftpd_t)
+')
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@ -38,6 +38,15 @@ define(`domtrans_pattern',`
 	allow $3 $1:process sigchld;
 ')

+#
+# Dynamic transition pattern
+#
+define(`dyntrans_pattern',`
+	allow $1 self:process setcurrent;
+	allow $1 $2:process dyntransition;
+	allow $2 $1:process sigchld;
+')
+
 #
 # Other process permissions
 #