selinux-policy/policy/modules/services/ftp.if

158 lines
3.3 KiB
Plaintext

## <summary>File transfer protocol service</summary>
#######################################
## <summary>
## The per role template for the ftp module.
## </summary>
## <desc>
## <p>
## This template allows ftpd to manage files in
## a user home directory, creating files with the
## correct type.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`ftp_per_role_template',`
gen_require(`
type ftpd_t;
')
userdom_manage_user_home_content_files($1,ftpd_t)
userdom_manage_user_home_content_symlinks($1,ftpd_t)
userdom_manage_user_home_content_sockets($1,ftpd_t)
userdom_manage_user_home_content_pipes($1,ftpd_t)
userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
########################################
## <summary>
## Use ftp by connecting over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Read ftpd etc files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_read_config',`
gen_require(`
type ftpd_etc_t;
')
files_search_etc($1)
allow $1 ftpd_etc_t:file { getattr read };
')
########################################
## <summary>
## Execute FTP daemon entry point programs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_check_exec',`
gen_require(`
type ftpd_exec_t;
')
corecmd_search_bin($1)
allow $1 ftpd_exec_t:file { getattr execute };
')
########################################
## <summary>
## Read FTP transfer logs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_read_log',`
gen_require(`
type xferlog_t;
')
logging_search_logs($1)
allow $1 xferlog_t:file read_file_perms;
')
########################################
## <summary>
## Execute the ftpdctl program in the ftpdctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_domtrans_ftpdctl',`
gen_require(`
type ftpdctl_t, ftpdctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
')
########################################
## <summary>
## Execute the ftpdctl program in the ftpdctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the ftpdctl domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the ftpdctl domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`ftp_run_ftpdctl',`
gen_require(`
type ftpdctl_t;
')
ftp_domtrans_ftpdctl($1)
role $2 types ftpdctl_t;
allow ftpdctl_t $3:chr_file rw_term_perms;
')