add ftp

refpolicy/Changelog

@@ -5,6 +5,7 @@
 - Added policies:
 	anaconda
 	dmidecode
+	ftp
 	kudzu
 	radvd
 

refpolicy/policy/global_tunables

@@ -16,6 +16,10 @@ gen_tunable(allow_execmod,false)
 ## Also requires allow_execmem.
 gen_tunable(allow_execstack,false)
 
+## Allow ftp servers to modify public files
+## used for public file transfer services.
+gen_tunable(allow_ftpd_anon_write,false)
+
 ## Allow gpg executable stack
 gen_tunable(allow_gpg_execstack,false)
 

refpolicy/policy/modules/services/ftp.fc

@@ -0,0 +1,26 @@
+#
+# /etc
+#
+/etc/proftpd\.conf	--	context_template(system_u:object_r:ftpd_etc_t,s0)
+/etc/cron\.monthly/proftpd --	context_template(system_u:object_r:ftpd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/kerberos/sbin/ftpd	--	context_template(system_u:object_r:ftpd_exec_t,s0)
+
+/usr/sbin/ftpwho	--	context_template(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/in\.ftpd	--	context_template(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/muddleftpd	--	context_template(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/proftpd	--	context_template(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/vsftpd	--	context_template(system_u:object_r:ftpd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/proftpd/proftpd-inetd -- context_template(system_u:object_r:ftpd_var_run_t,s0)
+/var/run/proftpd/proftpd\.scoreboard -- context_template(system_u:object_r:ftpd_var_run_t,s0)
+
+/var/log/muddleftpd\.log.* --	context_template(system_u:object_r:xferlog_t,s0)
+/var/log/xferlog.*	--	context_template(system_u:object_r:xferlog_t,s0)
+/var/log/xferreport.*	--	context_template(system_u:object_r:xferlog_t,s0)

refpolicy/policy/modules/services/ftp.if

@@ -0,0 +1,70 @@
+## <summary>File transfer protocol service</summary>
+
+########################################
+## <summary>
+##      Use ftp by connecting over TCP.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`ftp_tcp_connect',`
+	gen_require(`
+		type ftpd_t;
+	')
+
+	allow $1 ftpd_t:tcp_socket { connectto recvfrom };
+	allow ftpd_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
+##      Read ftpd etc files
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`ftp_read_config',`
+	gen_require(`
+		type ftpd_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 ftpd_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##      Execute FTP daemon entry point programs.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`ftp_check_exec',`
+	gen_require(`
+		type ftpd_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	allow $1 ftpd_exec_t:file x_file_perms;
+')
+
+########################################
+## <summary>
+##      Read FTP transfer logs
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`ftp_read_log',`
+	gen_require(`
+		type xferlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 xferlog_t:file r_file_perms;
+')

refpolicy/policy/modules/services/ftp.te

@@ -0,0 +1,199 @@
+
+policy_module(ftp,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type ftpd_t;
+type ftpd_exec_t;
+init_daemon_domain(ftpd_t,ftpd_exec_t)
+
+type ftpd_etc_t;
+files_type(ftpd_etc_t)
+
+# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
+type ftpd_lock_t;
+files_lock_file(ftpd_lock_t)
+
+type ftpd_tmp_t;
+files_tmp_file(ftpd_tmp_t)
+
+type ftpd_tmpfs_t;
+files_tmpfs_file(ftpd_tmpfs_t)
+
+type ftpd_var_run_t;
+files_pid_file(ftpd_var_run_t)
+
+type xferlog_t;
+logging_log_file(xferlog_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit ftpd_t self:capability sys_tty_config;
+allow ftpd_t self:process signal_perms;
+allow ftpd_t self:process { getcap setcap setsched setrlimit };
+allow ftpd_t self:fifo_file rw_file_perms;
+allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow ftpd_t self:unix_stream_socket create_socket_perms;
+allow ftpd_t self:tcp_socket create_stream_socket_perms;
+allow ftpd_t self:udp_socket create_socket_perms;
+
+allow ftpd_t ftpd_etc_t:file { getattr read };
+
+allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
+allow ftpd_t ftpd_tmp_t:file create_file_perms;
+files_create_tmp_files(ftpd_t, ftpd_tmp_t, { file dir })
+
+allow ftpd_t ftpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow ftpd_t ftpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow ftpd_t ftpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow ftpd_t ftpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow ftpd_t ftpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+fs_create_tmpfs_data(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Create and modify /var/log/xferlog.
+allow ftpd_t xferlog_t:file create_file_perms;
+logging_create_log(ftpd_t,xferlog_t)
+
+kernel_read_kernel_sysctl(ftpd_t)
+kernel_read_system_state(ftpd_t)
+
+dev_read_sysfs(ftpd_t)
+dev_read_urand(ftpd_t)
+
+fs_search_auto_mountpoints(ftpd_t)
+fs_getattr_all_fs(ftpd_t)
+
+corenet_tcp_sendrecv_all_if(ftpd_t)
+corenet_udp_sendrecv_all_if(ftpd_t)
+corenet_raw_sendrecv_all_if(ftpd_t)
+corenet_tcp_sendrecv_all_nodes(ftpd_t)
+corenet_udp_sendrecv_all_nodes(ftpd_t)
+corenet_raw_sendrecv_all_nodes(ftpd_t)
+corenet_tcp_sendrecv_all_ports(ftpd_t)
+corenet_udp_sendrecv_all_ports(ftpd_t)
+corenet_tcp_bind_all_nodes(ftpd_t)
+corenet_udp_bind_all_nodes(ftpd_t)
+corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_connect_all_ports(ftpd_t)
+
+term_dontaudit_use_console(ftpd_t)
+
+# Append to /var/log/wtmp.
+auth_append_login_records(ftpd_t)
+#kerberized ftp requires the following
+auth_write_login_records(ftpd_t)
+
+corecmd_exec_bin(ftpd_t)
+# Execute /bin/ls (can comment this out for proftpd)
+# also may need rules to allow tar etc...
+corecmd_exec_ls(ftpd_t)
+
+domain_use_wide_inherit_fd(ftpd_t)
+
+files_search_etc(ftpd_t)
+files_read_etc_files(ftpd_t)
+files_read_etc_runtime_files(ftpd_t)
+
+init_use_fd(ftpd_t)
+init_use_script_pty(ftpd_t)
+
+libs_use_ld_so(ftpd_t)
+libs_use_shared_libs(ftpd_t)
+
+logging_send_syslog_msg(ftpd_t)
+
+miscfiles_read_localization(ftpd_t)
+miscfiles_read_public_files(ftpd_t)
+
+seutil_dontaudit_search_config(ftpd_t)
+
+sysnet_read_config(ftpd_t)
+
+userdom_dontaudit_search_sysadm_home_dir(ftpd_t)
+userdom_dontaudit_use_unpriv_user_fd(ftpd_t)
+
+ifdef(`targeted_policy',`
+	files_dontaudit_read_root_file(ftpd_t)
+
+	term_dontaudit_use_generic_pty(ftpd_t)
+	term_dontaudit_use_unallocated_tty(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_anon_write',`
+	miscfiles_manage_public_files(ftpd_t)
+') 
+
+tunable_policy(`ftp_home_dir',`
+	# allow access to /home
+	files_getattr_home_dir(ftpd_t)
+	userdom_read_all_user_files(ftpd_t)
+	userdom_manage_all_user_dirs(ftpd_t)
+	userdom_manage_all_user_files(ftpd_t)
+	userdom_manage_all_user_symlinks(ftpd_t)
+')
+
+tunable_policy(`ftpd_is_daemon',`
+	allow ftpd_t ftpd_lock_t:file create_file_perms;
+	files_create_lock(ftpd_t,ftpd_lock_t)
+
+	corenet_tcp_bind_ftp_port(ftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
+	fs_read_nfs_files(ftpd_t)
+	fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
+	fs_read_cifs_files(ftpd_t)
+	fs_read_cifs_symlinks(ftpd_t)
+')
+
+optional_policy(`crond.te', `
+	corecmd_exec_shell(ftpd_t)
+
+	files_read_usr_file(ftpd_t)
+
+       	cron_system_entry(ftpd_t, ftpd_exec_t)
+
+	optional_policy(`logrotate.te',`
+		logrotate_exec(ftpd_t)
+	')
+')
+
+optional_policy(`inetd.te',`
+	if (!ftpd_is_daemon) {
+		#reh: typeattributes not allowed in conditionals yet.
+		#inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
+
+		optional_policy(`tcpd.te',`
+			tcpd_domtrans(tcpd_t)
+		')
+	}
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(ftpd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(ftpd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(ftpd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(ftpd_t)
+')
+')

refpolicy/policy/modules/services/inetd.te

@@ -209,6 +209,13 @@ tunable_policy(`run_ssh_inetd',`
 	corenet_tcp_bind_ssh_port(inetd_t)
 ')
 
+optional_policy(`ftp.te',`
+	tunable_policy(`ftpd_is_daemon',`
+		# Allows it to check exec privs on daemon
+		ftp_check_exec(inetd_t)
+	')
+')
+
 optional_policy(`kerberos.te',`
 	kerberos_use(inetd_child_t)
 ')

refpolicy/policy/modules/system/authlogin.if

@@ -733,6 +733,38 @@ interface(`auth_dontaudit_write_login_records',`
 	dontaudit $1 wtmp_t:file write;
 ')
 
+#######################################
+## <summary>
+##	Append to login records (wtmp).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_append_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file { getattr append };
+')
+
+#######################################
+## <summary>
+##	Write to login records (wtmp).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_write_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file { write lock };
+')
+
 #######################################
 #
 # auth_rw_login_records(domain)

refpolicy/policy/modules/system/init.if

@@ -555,6 +555,23 @@ interface(`init_udp_sendto_script',`
 	allow initrc_t $1:udp_socket recvfrom;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	init scripts with a unix socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`init_unix_connect_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the init script pty.

refpolicy/policy/modules/system/userdomain.if

@@ -313,6 +313,12 @@ template(`base_user_template',`
 		dictd_use($1_t)
 	')
 
+	optional_policy(`ftp.te',`
+		tunable_policy(`ftpd_is_daemon',`
+			ftp_tcp_connect($1_t)
+		')
+	')
+
 	optional_policy(`inetd.te',`
 		inetd_tcp_connect($1_t)
 	')
@@ -1845,6 +1851,62 @@ interface(`userdom_read_all_user_files',`
 	allow $1 home_type:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete all directories
+##	in all users home directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_manage_all_user_dirs',`
+	gen_require(`
+		attribute home_type;
+	')
+
+	files_list_home($1)
+	allow $1 home_type:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all files
+##	in all users home directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_manage_all_user_files',`
+	gen_require(`
+		attribute home_type;
+	')
+
+	files_list_home($1)
+	allow $1 home_type:dir rw_dir_perms;
+	allow $1 home_type:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete all symlinks
+##	in all users home directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_manage_all_user_symlinks',`
+	gen_require(`
+		attribute home_type;
+	')
+
+	files_list_home($1)
+	allow $1 home_type:dir rw_dir_perms;
+	allow $1 home_type:lnk_file create_lnk_perms;
+')
+
 ########################################
 ## <summary>
 ##	Send general signals to unprivileged user domains.