#DESC Ftpd - Ftp daemon # # Authors: Stephen Smalley and Timothy Fraser # Russell Coker # X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd # ################################# # # Rules for the ftpd_t domain # type ftp_port_t, port_type, reserved_port_type; type ftp_data_port_t, port_type, reserved_port_type; daemon_domain(ftpd, `, auth_chkpwd') etc_domain(ftpd) typealias ftpd_etc_t alias etc_ftpd_t; can_network(ftpd_t) allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_socket_perms; allow ftpd_t self:process { getcap setcap setsched setrlimit }; allow ftpd_t self:fifo_file rw_file_perms; allow ftpd_t bin_t:dir search; can_exec(ftpd_t, bin_t) allow ftpd_t bin_t:lnk_file read; read_sysctl(ftpd_t) allow ftpd_t urandom_device_t:chr_file { getattr read }; ifdef(`crond.te', ` system_crond_entry(ftpd_exec_t, ftpd_t) allow system_crond_t xferlog_t:file r_file_perms; can_exec(ftpd_t, { sbin_t shell_exec_t }) allow ftpd_t usr_t:file { getattr read }; ifdef(`logrotate.te', ` can_exec(ftpd_t, logrotate_exec_t) ')dnl end if logrotate.te ')dnl end if crond.te allow ftpd_t ftp_data_port_t:tcp_socket name_bind; allow ftpd_t port_t:tcp_socket name_bind; # Allow ftpd to run directly without inetd. bool ftpd_is_daemon false; if (ftpd_is_daemon) { rw_dir_create_file(ftpd_t, var_lock_t) allow ftpd_t ftp_port_t:tcp_socket name_bind; can_tcp_connect(userdomain, ftpd_t) # Allows it to check exec privs on daemon allow inetd_t ftpd_exec_t:file x_file_perms; } ifdef(`inetd.te', ` if (!ftpd_is_daemon) { ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t) # Use sockets inherited from inetd. allow ftpd_t inetd_t:fd use; allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms; # Send SIGCHLD to inetd on death. allow ftpd_t inetd_t:process sigchld; } ') dnl end inetd.te # Access shared memory tmpfs instance. tmpfs_domain(ftpd) # Use capabilities. allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; # Append to /var/log/wtmp. allow ftpd_t wtmp_t:file { getattr append }; #kerberized ftp requires the following allow ftpd_t wtmp_t:file { write lock }; # Create and modify /var/log/xferlog. type xferlog_t, file_type, sysadmfile, logfile; file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file) # Execute /bin/ls (can comment this out for proftpd) # also may need rules to allow tar etc... can_exec(ftpd_t, ls_exec_t) allow initrc_t ftpd_etc_t:file { getattr read }; allow ftpd_t { etc_t etc_runtime_t }:file { getattr read }; allow ftpd_t proc_t:file { getattr read }; dontaudit ftpd_t sysadm_home_dir_t:dir getattr; dontaudit ftpd_t selinux_config_t:dir search; allow ftpd_t autofs_t:dir search; allow ftpd_t self:file { getattr read }; tmp_domain(ftpd) # Allow ftp to read/write files in the user home directories. bool ftp_home_dir false; if (ftp_home_dir) { # allow access to /home allow ftpd_t home_root_t:dir { getattr search }; } if (use_nfs_home_dirs && ftp_home_dir) { r_dir_file(ftpd_t, nfs_t) } if (use_samba_home_dirs && ftp_home_dir) { r_dir_file(ftpd_t, cifs_t) } dontaudit ftpd_t selinux_config_t:dir search; # # Type for access to anon ftp # type ftpd_anon_t, file_type, sysadmfile, customizable; r_dir_file(ftpd_t,ftpd_anon_t) type ftpd_anon_rw_t, file_type, sysadmfile, customizable; create_dir_file(ftpd_t,ftpd_anon_rw_t)