1dfc76f76b
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
463 lines
11 KiB
Plaintext
463 lines
11 KiB
Plaintext
policy_module(ftp, 1.12.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ftp servers to upload files, used for public file
|
|
## transfer services. Directories must be labeled
|
|
## public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ftp servers to login to local users and
|
|
## read/write all files on the system, governed by DAC.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_full_access, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ftp servers to use cifs
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_use_cifs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ftp servers to use nfs
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_use_nfs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ftp servers to use connect to mysql database
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ftpd_connect_db, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow ftp to read and write files in the user home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ftp_home_dir, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow anon internal-sftp to upload files, used for
|
|
## public file transfer services. Directories must be labeled
|
|
## public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow sftp-internal to read and write files
|
|
## in the user home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_enable_homedirs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow sftp-internal to login to local users and
|
|
## read/write all files on the system, governed by DAC.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_full_access, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow interlnal-sftp to read and write files
|
|
## in the user ssh home directories.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_write_ssh_home, false)
|
|
|
|
type anon_sftpd_t;
|
|
typealias anon_sftpd_t alias sftpd_anon_t;
|
|
domain_type(anon_sftpd_t)
|
|
role system_r types anon_sftpd_t;
|
|
|
|
type ftpd_t;
|
|
type ftpd_exec_t;
|
|
init_daemon_domain(ftpd_t, ftpd_exec_t)
|
|
|
|
type ftpd_etc_t;
|
|
files_config_file(ftpd_etc_t)
|
|
|
|
type ftpd_initrc_exec_t;
|
|
init_script_file(ftpd_initrc_exec_t)
|
|
|
|
type ftpd_lock_t;
|
|
files_lock_file(ftpd_lock_t)
|
|
|
|
type ftpd_tmp_t;
|
|
files_tmp_file(ftpd_tmp_t)
|
|
|
|
type ftpd_tmpfs_t;
|
|
files_tmpfs_file(ftpd_tmpfs_t)
|
|
|
|
type ftpd_var_run_t;
|
|
files_pid_file(ftpd_var_run_t)
|
|
|
|
type ftpdctl_t;
|
|
type ftpdctl_exec_t;
|
|
init_system_domain(ftpdctl_t, ftpdctl_exec_t)
|
|
|
|
type ftpdctl_tmp_t;
|
|
files_tmp_file(ftpdctl_tmp_t)
|
|
|
|
type sftpd_t;
|
|
domain_type(sftpd_t)
|
|
role system_r types sftpd_t;
|
|
|
|
type xferlog_t;
|
|
logging_log_file(xferlog_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# anon-sftp local policy
|
|
#
|
|
|
|
files_read_etc_files(anon_sftpd_t)
|
|
|
|
miscfiles_read_public_files(anon_sftpd_t)
|
|
|
|
tunable_policy(`sftpd_anon_write',`
|
|
miscfiles_manage_public_files(anon_sftpd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ftpd local policy
|
|
#
|
|
|
|
allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
|
|
dontaudit ftpd_t self:capability sys_tty_config;
|
|
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
|
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
|
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
|
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
|
allow ftpd_t self:udp_socket create_socket_perms;
|
|
allow ftpd_t self:shm create_shm_perms;
|
|
allow ftpd_t self:key manage_key_perms;
|
|
|
|
allow ftpd_t ftpd_etc_t:file read_file_perms;
|
|
|
|
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
|
|
|
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
|
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
|
|
|
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
|
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
|
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
|
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
|
|
|
|
# proftpd requires the client side to bind a socket so that
|
|
# it can stat the socket to perform access control decisions,
|
|
# since getsockopt with SO_PEERCRED is not available on all
|
|
# proftpd-supported OSs
|
|
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
|
|
|
|
# Create and modify /var/log/xferlog.
|
|
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
|
logging_log_filetrans(ftpd_t, xferlog_t, file)
|
|
|
|
kernel_read_kernel_sysctls(ftpd_t)
|
|
kernel_read_system_state(ftpd_t)
|
|
kernel_search_network_state(ftpd_t)
|
|
|
|
dev_read_sysfs(ftpd_t)
|
|
dev_read_urand(ftpd_t)
|
|
|
|
corecmd_exec_bin(ftpd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(ftpd_t)
|
|
corenet_all_recvfrom_netlabel(ftpd_t)
|
|
corenet_tcp_sendrecv_generic_if(ftpd_t)
|
|
corenet_udp_sendrecv_generic_if(ftpd_t)
|
|
corenet_tcp_sendrecv_generic_node(ftpd_t)
|
|
corenet_udp_sendrecv_generic_node(ftpd_t)
|
|
corenet_tcp_sendrecv_all_ports(ftpd_t)
|
|
corenet_udp_sendrecv_all_ports(ftpd_t)
|
|
corenet_tcp_bind_generic_node(ftpd_t)
|
|
corenet_tcp_bind_ftp_port(ftpd_t)
|
|
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
|
corenet_tcp_bind_generic_port(ftpd_t)
|
|
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
|
|
corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
|
|
corenet_tcp_connect_all_ports(ftpd_t)
|
|
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
|
|
|
domain_use_interactive_fds(ftpd_t)
|
|
|
|
files_search_etc(ftpd_t)
|
|
files_read_etc_files(ftpd_t)
|
|
files_read_etc_runtime_files(ftpd_t)
|
|
files_search_var_lib(ftpd_t)
|
|
|
|
fs_search_auto_mountpoints(ftpd_t)
|
|
fs_getattr_all_fs(ftpd_t)
|
|
fs_search_fusefs(ftpd_t)
|
|
|
|
auth_use_nsswitch(ftpd_t)
|
|
auth_domtrans_chk_passwd(ftpd_t)
|
|
# Append to /var/log/wtmp.
|
|
auth_append_login_records(ftpd_t)
|
|
#kerberized ftp requires the following
|
|
auth_write_login_records(ftpd_t)
|
|
auth_rw_faillog(ftpd_t)
|
|
|
|
init_rw_utmp(ftpd_t)
|
|
|
|
logging_send_audit_msgs(ftpd_t)
|
|
logging_send_syslog_msg(ftpd_t)
|
|
logging_set_loginuid(ftpd_t)
|
|
|
|
miscfiles_read_localization(ftpd_t)
|
|
miscfiles_read_public_files(ftpd_t)
|
|
|
|
seutil_dontaudit_search_config(ftpd_t)
|
|
|
|
sysnet_read_config(ftpd_t)
|
|
sysnet_use_ldap(ftpd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
|
userdom_dontaudit_search_user_home_dirs(ftpd_t)
|
|
|
|
tunable_policy(`allow_ftpd_anon_write',`
|
|
miscfiles_manage_public_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_cifs',`
|
|
fs_read_cifs_files(ftpd_t)
|
|
fs_read_cifs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
|
|
fs_manage_cifs_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_nfs',`
|
|
fs_read_nfs_files(ftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
|
fs_manage_nfs_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_full_access',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
auth_manage_all_files_except_shadow(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
# allow access to /home
|
|
files_list_home(ftpd_t)
|
|
userdom_read_user_home_content_files(ftpd_t)
|
|
userdom_manage_user_home_content(ftpd_t)
|
|
userdom_manage_user_tmp_files(ftpd_t)
|
|
userdom_tmp_filetrans_user_tmp(ftpd_t, file)
|
|
', `
|
|
# Needed for permissive mode, to make sure everything gets labeled correctly
|
|
userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
|
|
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
|
fs_manage_nfs_files(ftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
|
|
fs_manage_cifs_files(ftpd_t)
|
|
fs_read_cifs_symlinks(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`ftp_home_dir',`
|
|
apache_search_sys_content(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
corecmd_exec_shell(ftpd_t)
|
|
|
|
files_read_usr_files(ftpd_t)
|
|
|
|
cron_system_entry(ftpd_t, ftpd_exec_t)
|
|
|
|
optional_policy(`
|
|
logrotate_exec(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(ftpd_t, ftpd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
selinux_validate_context(ftpd_t)
|
|
|
|
kerberos_keytab_template(ftpd, ftpd_t)
|
|
kerberos_manage_host_rcache(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`ftpd_connect_db',`
|
|
mysql_stream_connect(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`ftpd_connect_db',`
|
|
postgresql_stream_connect(ftpd_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`ftpd_connect_db',`
|
|
corenet_tcp_connect_mysqld_port(ftpd_t)
|
|
corenet_tcp_connect_postgresql_port(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
|
|
|
|
optional_policy(`
|
|
tcpd_domtrans(tcpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(ftpd_t)
|
|
|
|
optional_policy(`
|
|
oddjob_dbus_chat(ftpd_t)
|
|
oddjob_domtrans_mkhomedir(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(ftpd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ftpdctl local policy
|
|
#
|
|
|
|
# Allow ftpdctl to talk to ftpd over a socket connection
|
|
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
|
|
|
# ftpdctl creates a socket so that the daemon can perform
|
|
# access control decisions (see comments in ftpd_t rules above)
|
|
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
|
|
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
|
|
|
# Allow ftpdctl to read config files
|
|
files_read_etc_files(ftpdctl_t)
|
|
|
|
userdom_use_user_terminals(ftpdctl_t)
|
|
|
|
########################################
|
|
#
|
|
# sftpd local policy
|
|
#
|
|
files_read_etc_files(sftpd_t)
|
|
|
|
# allow read access to /home by default
|
|
userdom_read_user_home_content_files(sftpd_t)
|
|
userdom_read_user_home_content_symlinks(sftpd_t)
|
|
userdom_dontaudit_list_admin_dir(sftpd_t)
|
|
|
|
tunable_policy(`sftpd_full_access',`
|
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
|
fs_read_noxattr_fs_files(sftpd_t)
|
|
auth_manage_all_files_except_shadow(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`sftpd_write_ssh_home',`
|
|
ssh_manage_home_files(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`sftpd_enable_homedirs',`
|
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
# allow access to /home
|
|
files_list_home(sftpd_t)
|
|
userdom_read_user_home_content_files(sftpd_t)
|
|
userdom_manage_user_home_content(sftpd_t)
|
|
', `
|
|
# Needed for permissive mode, to make sure everything gets labeled correctly
|
|
userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
|
|
')
|
|
|
|
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(sftpd_t)
|
|
fs_manage_nfs_files(sftpd_t)
|
|
fs_manage_nfs_symlinks(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(sftpd_t)
|
|
fs_manage_cifs_files(sftpd_t)
|
|
fs_manage_cifs_symlinks(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`sftpd_full_access',`
|
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
|
fs_read_noxattr_fs_files(sftpd_t)
|
|
auth_manage_all_files_except_shadow(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
# allow read access to /home by default
|
|
fs_list_cifs(sftpd_t)
|
|
fs_read_cifs_files(sftpd_t)
|
|
fs_read_cifs_symlinks(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
# allow read access to /home by default
|
|
fs_list_nfs(sftpd_t)
|
|
fs_read_nfs_files(sftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|