selinux-policy/policy/modules/services/ftp.te

465 lines
11 KiB
Plaintext

policy_module(ftp, 1.12.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow ftp servers to upload files, used for public file
## transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write, false)
## <desc>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access, false)
## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)
## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)
## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir, false)
## <desc>
## <p>
## Allow anon internal-sftp to upload files, used for
## public file transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)
## <desc>
## <p>
## Allow sftp-internal to read and write files
## in the user home directories
## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)
## <desc>
## <p>
## Allow sftp-internal to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(sftpd_full_access, false)
## <desc>
## <p>
## Allow interlnal-sftp to read and write files
## in the user ssh home directories.
## </p>
## </desc>
gen_tunable(sftpd_write_ssh_home, false)
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
role system_r types anon_sftpd_t;
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t, ftpd_exec_t)
type ftpd_etc_t;
files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
type ftpd_tmp_t;
files_tmp_file(ftpd_tmp_t)
type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)
type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)
type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t, ftpdctl_exec_t)
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;
type xferlog_t;
logging_log_file(xferlog_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
')
########################################
#
# anon-sftp local policy
#
files_read_etc_files(anon_sftpd_t)
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
miscfiles_manage_public_files(anon_sftpd_t)
')
########################################
#
# ftpd local policy
#
allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
kernel_search_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
corenet_tcp_sendrecv_generic_node(ftpd_t)
corenet_udp_sendrecv_generic_node(ftpd_t)
corenet_tcp_sendrecv_all_ports(ftpd_t)
corenet_udp_sendrecv_all_ports(ftpd_t)
corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
init_rw_utmp(ftpd_t)
logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
tunable_policy(`allow_ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
tunable_policy(`allow_ftpd_use_cifs',`
fs_read_cifs_files(ftpd_t)
fs_read_cifs_symlinks(ftpd_t)
')
tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
fs_manage_cifs_files(ftpd_t)
')
tunable_policy(`allow_ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')
tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
fs_manage_nfs_files(ftpd_t)
')
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
auth_manage_all_files_except_shadow(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
allow ftpd_t self:capability { dac_override dac_read_search };
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
userdom_manage_user_home_content(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, file)
',`
# Needed for permissive mode, to make sure everything gets labeled correctly
userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
fs_manage_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')
tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
fs_manage_cifs_files(ftpd_t)
fs_read_cifs_symlinks(ftpd_t)
')
optional_policy(`
tunable_policy(`ftp_home_dir',`
apache_search_sys_content(ftpd_t)
')
')
optional_policy(`
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
cron_system_entry(ftpd_t, ftpd_exec_t)
optional_policy(`
logrotate_exec(ftpd_t)
')
')
optional_policy(`
daemontools_service_domain(ftpd_t, ftpd_exec_t)
')
optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
kerberos_manage_host_rcache(ftpd_t)
')
optional_policy(`
tunable_policy(`ftpd_connect_db',`
mysql_stream_connect(ftpd_t)
')
')
optional_policy(`
tunable_policy(`ftpd_connect_db',`
postgresql_stream_connect(ftpd_t)
')
')
tunable_policy(`ftpd_connect_db',`
mysql_tcp_connect(ftpd_t)
postgresql_tcp_connect(ftpd_t)
')
optional_policy(`
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
tcpd_domtrans(tcpd_t)
')
')
optional_policy(`
dbus_system_bus_client(ftpd_t)
optional_policy(`
oddjob_dbus_chat(ftpd_t)
oddjob_domtrans_mkhomedir(ftpd_t)
')
')
optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
optional_policy(`
udev_read_db(ftpd_t)
')
########################################
#
# ftpdctl local policy
#
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
files_search_pids(ftpdctl_t)
# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)
userdom_use_user_terminals(ftpdctl_t)
########################################
#
# sftpd local policy
#
files_read_etc_files(sftpd_t)
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
userdom_dontaudit_list_admin_dir(sftpd_t)
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
auth_manage_all_files_except_shadow(sftpd_t)
')
tunable_policy(`sftpd_write_ssh_home',`
ssh_manage_home_files(sftpd_t)
')
tunable_policy(`sftpd_enable_homedirs',`
allow sftpd_t self:capability { dac_override dac_read_search };
# allow access to /home
files_list_home(sftpd_t)
userdom_read_user_home_content_files(sftpd_t)
userdom_manage_user_home_content(sftpd_t)
',`
# Needed for permissive mode, to make sure everything gets labeled correctly
userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
fs_manage_nfs_dirs(sftpd_t)
fs_manage_nfs_files(sftpd_t)
fs_manage_nfs_symlinks(sftpd_t)
')
tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
fs_manage_cifs_dirs(sftpd_t)
fs_manage_cifs_files(sftpd_t)
fs_manage_cifs_symlinks(sftpd_t)
')
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
auth_manage_all_files_except_shadow(sftpd_t)
')
tunable_policy(`use_samba_home_dirs',`
# allow read access to /home by default
fs_list_cifs(sftpd_t)
fs_read_cifs_files(sftpd_t)
fs_read_cifs_symlinks(sftpd_t)
')
tunable_policy(`use_nfs_home_dirs',`
# allow read access to /home by default
fs_list_nfs(sftpd_t)
fs_read_nfs_files(sftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')