119 lines
3.6 KiB
Plaintext
119 lines
3.6 KiB
Plaintext
#DESC Ftpd - Ftp daemon
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
# Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the ftpd_t domain
|
|
#
|
|
daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
|
|
etc_domain(ftpd)
|
|
|
|
can_network(ftpd_t)
|
|
allow ftpd_t port_type:tcp_socket name_connect;
|
|
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
|
allow ftpd_t self:unix_stream_socket create_socket_perms;
|
|
allow ftpd_t self:process { getcap setcap setsched setrlimit };
|
|
allow ftpd_t self:fifo_file rw_file_perms;
|
|
|
|
allow ftpd_t bin_t:dir search;
|
|
can_exec(ftpd_t, bin_t)
|
|
allow ftpd_t bin_t:lnk_file read;
|
|
read_sysctl(ftpd_t)
|
|
|
|
allow ftpd_t urandom_device_t:chr_file { getattr read };
|
|
|
|
ifdef(`crond.te', `
|
|
system_crond_entry(ftpd_exec_t, ftpd_t)
|
|
allow system_crond_t xferlog_t:file r_file_perms;
|
|
can_exec(ftpd_t, { sbin_t shell_exec_t })
|
|
allow ftpd_t usr_t:file { getattr read };
|
|
ifdef(`logrotate.te', `
|
|
can_exec(ftpd_t, logrotate_exec_t)
|
|
')dnl end if logrotate.te
|
|
')dnl end if crond.te
|
|
|
|
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
|
|
allow ftpd_t port_t:tcp_socket name_bind;
|
|
|
|
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
|
|
type ftpd_lock_t, file_type, sysadmfile, lockfile;
|
|
|
|
# Allow ftpd to run directly without inetd.
|
|
bool ftpd_is_daemon false;
|
|
if (ftpd_is_daemon) {
|
|
file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
|
|
allow ftpd_t ftp_port_t:tcp_socket name_bind;
|
|
can_tcp_connect(userdomain, ftpd_t)
|
|
# Allows it to check exec privs on daemon
|
|
allow inetd_t ftpd_exec_t:file x_file_perms;
|
|
}
|
|
ifdef(`inetd.te', `
|
|
if (!ftpd_is_daemon) {
|
|
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
|
|
domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
|
|
|
|
# Use sockets inherited from inetd.
|
|
allow ftpd_t inetd_t:fd use;
|
|
allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
|
|
|
|
# Send SIGCHLD to inetd on death.
|
|
allow ftpd_t inetd_t:process sigchld;
|
|
}
|
|
') dnl end inetd.te
|
|
|
|
# Access shared memory tmpfs instance.
|
|
tmpfs_domain(ftpd)
|
|
|
|
# Use capabilities.
|
|
allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
|
|
|
|
# Append to /var/log/wtmp.
|
|
allow ftpd_t wtmp_t:file { getattr append };
|
|
#kerberized ftp requires the following
|
|
allow ftpd_t wtmp_t:file { write lock };
|
|
|
|
# Create and modify /var/log/xferlog.
|
|
type xferlog_t, file_type, sysadmfile, logfile;
|
|
file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
|
|
|
|
# Execute /bin/ls (can comment this out for proftpd)
|
|
# also may need rules to allow tar etc...
|
|
can_exec(ftpd_t, ls_exec_t)
|
|
|
|
allow initrc_t ftpd_etc_t:file { getattr read };
|
|
allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
|
|
allow ftpd_t proc_t:file { getattr read };
|
|
|
|
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
|
|
dontaudit ftpd_t selinux_config_t:dir search;
|
|
allow ftpd_t autofs_t:dir search;
|
|
allow ftpd_t self:file { getattr read };
|
|
tmp_domain(ftpd)
|
|
|
|
# Allow ftp to read/write files in the user home directories.
|
|
bool ftp_home_dir false;
|
|
|
|
if (ftp_home_dir) {
|
|
# allow access to /home
|
|
allow ftpd_t home_root_t:dir { getattr search };
|
|
allow ftpd_t home_dir_type:dir r_dir_perms;
|
|
create_dir_file(ftpd_t, home_type)
|
|
}
|
|
if (use_nfs_home_dirs && ftp_home_dir) {
|
|
r_dir_file(ftpd_t, nfs_t)
|
|
}
|
|
if (use_samba_home_dirs && ftp_home_dir) {
|
|
r_dir_file(ftpd_t, cifs_t)
|
|
}
|
|
dontaudit ftpd_t selinux_config_t:dir search;
|
|
#
|
|
# Type for access to anon ftp
|
|
#
|
|
r_dir_file(ftpd_t,ftpd_anon_t)
|
|
type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
|
|
create_dir_file(ftpd_t,ftpd_anon_rw_t)
|