287 lines
7.2 KiB
Plaintext
287 lines
7.2 KiB
Plaintext
|
|
policy_module(ftp,1.4.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type ftpd_t;
|
|
type ftpd_exec_t;
|
|
init_daemon_domain(ftpd_t,ftpd_exec_t)
|
|
|
|
type ftpd_etc_t;
|
|
files_config_file(ftpd_etc_t)
|
|
|
|
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
|
|
type ftpd_lock_t;
|
|
files_lock_file(ftpd_lock_t)
|
|
|
|
type ftpd_tmp_t;
|
|
files_tmp_file(ftpd_tmp_t)
|
|
|
|
type ftpd_tmpfs_t;
|
|
files_tmpfs_file(ftpd_tmpfs_t)
|
|
|
|
type ftpd_var_run_t;
|
|
files_pid_file(ftpd_var_run_t)
|
|
|
|
type ftpdctl_t;
|
|
type ftpdctl_exec_t;
|
|
init_system_domain(ftpdctl_t,ftpdctl_exec_t)
|
|
|
|
type ftpdctl_tmp_t;
|
|
files_tmp_file(ftpdctl_tmp_t)
|
|
|
|
type xferlog_t;
|
|
logging_log_file(xferlog_t)
|
|
|
|
########################################
|
|
#
|
|
# ftpd local policy
|
|
#
|
|
|
|
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
|
|
dontaudit ftpd_t self:capability sys_tty_config;
|
|
allow ftpd_t self:process signal_perms;
|
|
allow ftpd_t self:process { getcap setcap setsched setrlimit };
|
|
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
|
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
|
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
|
allow ftpd_t self:udp_socket create_socket_perms;
|
|
|
|
allow ftpd_t ftpd_etc_t:file read_file_perms;
|
|
|
|
manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
|
|
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
|
|
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
|
|
manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
|
|
manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
|
|
manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
|
|
manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
|
|
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
|
|
|
manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
|
|
manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
|
|
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
|
|
|
|
# proftpd requires the client side to bind a socket so that
|
|
# it can stat the socket to perform access control decisions,
|
|
# since getsockopt with SO_PEERCRED is not available on all
|
|
# proftpd-supported OSs
|
|
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
|
|
|
|
# Create and modify /var/log/xferlog.
|
|
allow ftpd_t xferlog_t:dir search_dir_perms;
|
|
allow ftpd_t xferlog_t:file manage_file_perms;
|
|
logging_log_filetrans(ftpd_t,xferlog_t,file)
|
|
|
|
kernel_read_kernel_sysctls(ftpd_t)
|
|
kernel_read_system_state(ftpd_t)
|
|
|
|
dev_read_sysfs(ftpd_t)
|
|
dev_read_urand(ftpd_t)
|
|
|
|
corecmd_exec_bin(ftpd_t)
|
|
corecmd_exec_sbin(ftpd_t)
|
|
# Execute /bin/ls (can comment this out for proftpd)
|
|
# also may need rules to allow tar etc...
|
|
corecmd_exec_ls(ftpd_t)
|
|
|
|
corenet_non_ipsec_sendrecv(ftpd_t)
|
|
corenet_tcp_sendrecv_all_if(ftpd_t)
|
|
corenet_udp_sendrecv_all_if(ftpd_t)
|
|
corenet_tcp_sendrecv_all_nodes(ftpd_t)
|
|
corenet_udp_sendrecv_all_nodes(ftpd_t)
|
|
corenet_tcp_sendrecv_all_ports(ftpd_t)
|
|
corenet_udp_sendrecv_all_ports(ftpd_t)
|
|
corenet_tcp_bind_all_nodes(ftpd_t)
|
|
corenet_tcp_bind_ftp_port(ftpd_t)
|
|
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
|
corenet_tcp_bind_generic_port(ftpd_t)
|
|
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
|
|
corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
|
|
corenet_tcp_connect_all_ports(ftpd_t)
|
|
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
|
|
|
domain_use_interactive_fds(ftpd_t)
|
|
|
|
files_search_etc(ftpd_t)
|
|
files_read_etc_files(ftpd_t)
|
|
files_read_etc_runtime_files(ftpd_t)
|
|
files_search_var_lib(ftpd_t)
|
|
|
|
fs_search_auto_mountpoints(ftpd_t)
|
|
fs_getattr_all_fs(ftpd_t)
|
|
|
|
term_dontaudit_use_console(ftpd_t)
|
|
|
|
auth_use_nsswitch(ftpd_t)
|
|
auth_domtrans_chk_passwd(ftpd_t)
|
|
# Append to /var/log/wtmp.
|
|
auth_append_login_records(ftpd_t)
|
|
#kerberized ftp requires the following
|
|
auth_write_login_records(ftpd_t)
|
|
auth_rw_faillog(ftpd_t)
|
|
|
|
init_use_fds(ftpd_t)
|
|
init_use_script_ptys(ftpd_t)
|
|
init_rw_utmp(ftpd_t)
|
|
|
|
libs_use_ld_so(ftpd_t)
|
|
libs_use_shared_libs(ftpd_t)
|
|
|
|
logging_send_syslog_msg(ftpd_t)
|
|
|
|
miscfiles_read_localization(ftpd_t)
|
|
miscfiles_read_public_files(ftpd_t)
|
|
|
|
seutil_dontaudit_search_config(ftpd_t)
|
|
|
|
sysnet_read_config(ftpd_t)
|
|
sysnet_use_ldap(ftpd_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
files_dontaudit_read_root_files(ftpd_t)
|
|
|
|
term_dontaudit_use_generic_ptys(ftpd_t)
|
|
term_dontaudit_use_unallocated_ttys(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_anon_write',`
|
|
miscfiles_manage_public_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_cifs',`
|
|
fs_read_cifs_files(ftpd_t)
|
|
fs_read_cifs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
|
|
fs_manage_cifs_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_nfs',`
|
|
fs_read_nfs_files(ftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
|
fs_manage_nfs_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_full_access',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
auth_manage_all_files_except_shadow(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
# allow access to /home
|
|
files_list_home(ftpd_t)
|
|
userdom_read_all_users_home_content_files(ftpd_t)
|
|
userdom_manage_all_users_home_content_dirs(ftpd_t)
|
|
userdom_manage_all_users_home_content_files(ftpd_t)
|
|
userdom_manage_all_users_home_content_symlinks(ftpd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
|
')
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
|
fs_manage_nfs_files(ftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
|
|
fs_manage_cifs_files(ftpd_t)
|
|
fs_read_cifs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftpd_is_daemon',`
|
|
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
|
|
|
|
corenet_tcp_bind_ftp_port(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`ftp_home_dir',`
|
|
apache_search_sys_content(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
corecmd_exec_shell(ftpd_t)
|
|
|
|
files_read_usr_files(ftpd_t)
|
|
|
|
cron_system_entry(ftpd_t, ftpd_exec_t)
|
|
|
|
optional_policy(`
|
|
logrotate_exec(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(ftpd_t, ftpd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_read_keytab(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#reh: typeattributes not allowed in conditionals yet.
|
|
#tunable_policy(`! ftpd_is_daemon',`
|
|
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
|
#')
|
|
|
|
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
|
|
|
optional_policy(`
|
|
tunable_policy(`! ftpd_is_daemon',`
|
|
tcpd_domtrans(tcpd_t)
|
|
')
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(ftpd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ftpdctl local policy
|
|
#
|
|
|
|
# Allow ftpdctl to talk to ftpd over a socket connection
|
|
stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t)
|
|
|
|
# ftpdctl creates a socket so that the daemon can perform
|
|
# access control decisions (see comments in ftpd_t rules above)
|
|
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
|
|
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
|
|
|
# Allow ftpdctl to read config files
|
|
files_read_etc_files(ftpdctl_t)
|
|
|
|
libs_use_ld_so(ftpdctl_t)
|
|
libs_use_shared_libs(ftpdctl_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_use_generic_ptys(ftpdctl_t)
|
|
')
|