## <summary>File transfer protocol service</summary>

#######################################
## <summary>
##	The per user domain template for the ftp module.
## </summary>
## <desc>
##	<p>
##	This template allows ftpd to manage files in
##	a user home directory, creating files with the
##	correct type.
##	</p>
##	<p>
##	This template is invoked automatically for each user, and
##	generally does not need to be invoked directly
##	by policy writers.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
#
template(`ftp_per_userdomain_template',`
	tunable_policy(`ftpd_is_daemon',`
		userdom_manage_user_home_content_files($1,ftpd_t)
		userdom_manage_user_home_content_symlinks($1,ftpd_t)
		userdom_manage_user_home_content_sockets($1,ftpd_t)
		userdom_manage_user_home_content_pipes($1,ftpd_t)
		userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
	')
')

########################################
## <summary>
##      Use ftp by connecting over TCP.
## </summary>
## <param name="domain">
##	<summary>
##      Domain allowed access.
##	</summary>
## </param>
#
interface(`ftp_tcp_connect',`
	gen_require(`
		type ftpd_t;
	')

	allow $1 ftpd_t:tcp_socket { connectto recvfrom };
	allow ftpd_t $1:tcp_socket { acceptfrom recvfrom };
	kernel_tcp_recvfrom($1)
')

########################################
## <summary>
##      Read ftpd etc files
## </summary>
## <param name="domain">
##	<summary>
##      Domain allowed access.
##	</summary>
## </param>
#
interface(`ftp_read_config',`
	gen_require(`
		type ftpd_etc_t;
	')

	files_search_etc($1)
	allow $1 ftpd_etc_t:file { getattr read };
')

########################################
## <summary>
##      Execute FTP daemon entry point programs.
## </summary>
## <param name="domain">
##	<summary>
##      Domain allowed access.
##	</summary>
## </param>
#
interface(`ftp_check_exec',`
	gen_require(`
		type ftpd_exec_t;
	')

	corecmd_search_sbin($1)
	allow $1 ftpd_exec_t:file x_file_perms;
')

########################################
## <summary>
##      Read FTP transfer logs
## </summary>
## <param name="domain">
##	<summary>
##      Domain allowed access.
##	</summary>
## </param>
#
interface(`ftp_read_log',`
	gen_require(`
		type xferlog_t;
	')

	logging_search_logs($1)
	allow $1 xferlog_t:file r_file_perms;
')

########################################
## <summary>
##      Execute the ftpdctl program in the ftpdctl domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`ftp_domtrans_ftpdctl',`
	gen_require(`
		type ftpdctl_t, ftpdctl_exec_t;
	')

	corecmd_search_bin($1)
	domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)

	allow ftpdctl_t $1:fd use;
	allow ftpdctl_t $1:fifo_file rw_file_perms;
	allow ftpdctl_t $1:process sigchld;
')