## File transfer protocol service ####################################### ## ## The per user domain template for the ftp module. ## ## ##

## This template allows ftpd to manage files in ## a user home directory, creating files with the ## correct type. ##

##

## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # template(`ftp_per_userdomain_template',` tunable_policy(`ftpd_is_daemon',` userdom_manage_user_home_content_files($1,ftpd_t) userdom_manage_user_home_content_symlinks($1,ftpd_t) userdom_manage_user_home_content_sockets($1,ftpd_t) userdom_manage_user_home_content_pipes($1,ftpd_t) userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ') ######################################## ## ## Use ftp by connecting over TCP. ## ## ## ## Domain allowed access. ## ## # interface(`ftp_tcp_connect',` gen_require(` type ftpd_t; ') allow $1 ftpd_t:tcp_socket { connectto recvfrom }; allow ftpd_t $1:tcp_socket { acceptfrom recvfrom }; kernel_tcp_recvfrom($1) ') ######################################## ## ## Read ftpd etc files ## ## ## ## Domain allowed access. ## ## # interface(`ftp_read_config',` gen_require(` type ftpd_etc_t; ') files_search_etc($1) allow $1 ftpd_etc_t:file { getattr read }; ') ######################################## ## ## Execute FTP daemon entry point programs. ## ## ## ## Domain allowed access. ## ## # interface(`ftp_check_exec',` gen_require(` type ftpd_exec_t; ') corecmd_search_sbin($1) allow $1 ftpd_exec_t:file x_file_perms; ') ######################################## ## ## Read FTP transfer logs ## ## ## ## Domain allowed access. ## ## # interface(`ftp_read_log',` gen_require(` type xferlog_t; ') logging_search_logs($1) allow $1 xferlog_t:file r_file_perms; ')