policy_module(ftp, 1.10.2) ######################################## # # Declarations # ## ##

## Allow ftp servers to upload files, used for public file ## transfer services. Directories must be labeled ## public_content_rw_t. ##

##
gen_tunable(allow_ftpd_anon_write, false) ## ##

## Allow ftp servers to login to local users and ## read/write all files on the system, governed by DAC. ##

##
gen_tunable(allow_ftpd_full_access, false) ## ##

## Allow ftp servers to use cifs ## used for public file transfer services. ##

##
gen_tunable(allow_ftpd_use_cifs, false) ## ##

## Allow ftp servers to use nfs ## used for public file transfer services. ##

##
gen_tunable(allow_ftpd_use_nfs, false) ## ##

## Allow ftp to read and write files in the user home directories ##

##
gen_tunable(ftp_home_dir, false) type ftpd_t; type ftpd_exec_t; init_daemon_domain(ftpd_t, ftpd_exec_t) type ftpd_etc_t; files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) type ftpd_lock_t; files_lock_file(ftpd_lock_t) type ftpd_tmp_t; files_tmp_file(ftpd_tmp_t) type ftpd_tmpfs_t; files_tmpfs_file(ftpd_tmpfs_t) type ftpd_var_run_t; files_pid_file(ftpd_var_run_t) type ftpdctl_t; type ftpdctl_exec_t; init_system_domain(ftpdctl_t, ftpdctl_exec_t) type ftpdctl_tmp_t; files_tmp_file(ftpdctl_tmp_t) type xferlog_t; logging_log_file(xferlog_t) ######################################## # # ftpd local policy # allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process signal_perms; allow ftpd_t self:process { getcap setcap setsched setrlimit }; allow ftpd_t self:fifo_file rw_fifo_file_perms; allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) # proftpd requires the client side to bind a socket so that # it can stat the socket to perform access control decisions, # since getsockopt with SO_PEERCRED is not available on all # proftpd-supported OSs allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; # Create and modify /var/log/xferlog. allow ftpd_t xferlog_t:dir search_dir_perms; allow ftpd_t xferlog_t:file manage_file_perms; logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) kernel_search_network_state(ftpd_t) dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) corecmd_exec_bin(ftpd_t) corenet_all_recvfrom_unlabeled(ftpd_t) corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) corenet_tcp_sendrecv_generic_node(ftpd_t) corenet_udp_sendrecv_generic_node(ftpd_t) corenet_tcp_sendrecv_all_ports(ftpd_t) corenet_udp_sendrecv_all_ports(ftpd_t) corenet_tcp_bind_generic_node(ftpd_t) corenet_tcp_bind_ftp_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) corenet_tcp_bind_all_unreserved_ports(ftpd_t) corenet_dontaudit_tcp_bind_all_ports(ftpd_t) corenet_tcp_connect_all_ports(ftpd_t) corenet_sendrecv_ftp_server_packets(ftpd_t) domain_use_interactive_fds(ftpd_t) files_search_etc(ftpd_t) files_read_etc_files(ftpd_t) files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) # Append to /var/log/wtmp. auth_append_login_records(ftpd_t) #kerberized ftp requires the following auth_write_login_records(ftpd_t) auth_rw_faillog(ftpd_t) init_rw_utmp(ftpd_t) logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) miscfiles_read_localization(ftpd_t) miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) sysnet_read_config(ftpd_t) sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) tunable_policy(`allow_ftpd_anon_write',` miscfiles_manage_public_files(ftpd_t) ') tunable_policy(`allow_ftpd_use_cifs',` fs_read_cifs_files(ftpd_t) fs_read_cifs_symlinks(ftpd_t) ') tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` fs_manage_cifs_files(ftpd_t) ') tunable_policy(`allow_ftpd_use_nfs',` fs_read_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) ') tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` fs_manage_nfs_files(ftpd_t) ') tunable_policy(`allow_ftpd_full_access',` allow ftpd_t self:capability { dac_override dac_read_search }; auth_manage_all_files_except_shadow(ftpd_t) ') tunable_policy(`ftp_home_dir',` allow ftpd_t self:capability { dac_override dac_read_search }; # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_files(ftpd_t) userdom_manage_user_home_content_symlinks(ftpd_t) userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` fs_manage_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) ') tunable_policy(`ftp_home_dir && use_samba_home_dirs',` fs_manage_cifs_files(ftpd_t) fs_read_cifs_symlinks(ftpd_t) ') optional_policy(` tunable_policy(`ftp_home_dir',` apache_search_sys_content(ftpd_t) ') ') optional_policy(` corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) cron_system_entry(ftpd_t, ftpd_exec_t) optional_policy(` logrotate_exec(ftpd_t) ') ') optional_policy(` daemontools_service_domain(ftpd_t, ftpd_exec_t) ') optional_policy(` kerberos_read_keytab(ftpd_t) ') optional_policy(` inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` tcpd_domtrans(tcpd_t) ') ') optional_policy(` seutil_sigchld_newrole(ftpd_t) ') optional_policy(` udev_read_db(ftpd_t) ') ######################################## # # ftpdctl local policy # # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) # ftpdctl creates a socket so that the daemon can perform # access control decisions (see comments in ftpd_t rules above) allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) # Allow ftpdctl to read config files files_read_etc_files(ftpdctl_t) userdom_use_user_terminals(ftpdctl_t)