rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity
f5842c1fa5
selinux-policy/policy/modules/services/ftp.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

307 lines
7.4 KiB
Plaintext
Raw Blame History

policy_module(ftp,1.5.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow ftp servers to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write,false)
## <desc>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access,false)
## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs,false)
## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs,false)
## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir,false)
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)
type ftpd_etc_t;
files_config_file(ftpd_etc_t)
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
type ftpd_tmp_t;
files_tmp_file(ftpd_tmp_t)
type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)
type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)
type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t,ftpdctl_exec_t)
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
type xferlog_t;
logging_log_file(xferlog_t)
########################################
#
# ftpd local policy
#
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:dir search_dir_perms;
allow ftpd_t xferlog_t:file manage_file_perms;
logging_log_filetrans(ftpd_t,xferlog_t,file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
corenet_all_recvfrom_unlabeled(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
corenet_tcp_sendrecv_all_nodes(ftpd_t)
corenet_udp_sendrecv_all_nodes(ftpd_t)
corenet_tcp_sendrecv_all_ports(ftpd_t)
corenet_udp_sendrecv_all_ports(ftpd_t)
corenet_tcp_bind_all_nodes(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
files_search_etc(ftpd_t)
files_read_etc_files(ftpd_t)
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
init_rw_utmp(ftpd_t)
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
ifdef(`targeted_policy',`
files_dontaudit_read_root_files(ftpd_t)
term_dontaudit_use_generic_ptys(ftpd_t)
term_dontaudit_use_unallocated_ttys(ftpd_t)
')
tunable_policy(`allow_ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
tunable_policy(`allow_ftpd_use_cifs',`
fs_read_cifs_files(ftpd_t)
fs_read_cifs_symlinks(ftpd_t)
')
tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
fs_manage_cifs_files(ftpd_t)
')
tunable_policy(`allow_ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')
tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
fs_manage_nfs_files(ftpd_t)
')
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
auth_manage_all_files_except_shadow(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
allow ftpd_t self:capability { dac_override dac_read_search };
# allow access to /home
files_list_home(ftpd_t)
userdom_read_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
ifdef(`targeted_policy',`
userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
fs_manage_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
')
tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
fs_manage_cifs_files(ftpd_t)
fs_read_cifs_symlinks(ftpd_t)
')
optional_policy(`
tunable_policy(`ftp_home_dir',`
apache_search_sys_content(ftpd_t)
')
')
optional_policy(`
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
cron_system_entry(ftpd_t, ftpd_exec_t)
optional_policy(`
logrotate_exec(ftpd_t)
')
')
optional_policy(`
daemontools_service_domain(ftpd_t, ftpd_exec_t)
')
optional_policy(`
kerberos_read_keytab(ftpd_t)
')
optional_policy(`
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
optional_policy(`
tcpd_domtrans(tcpd_t)
')
')
optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
optional_policy(`
udev_read_db(ftpd_t)
')
########################################
#
# ftpdctl local policy
#
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t)
# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)
libs_use_ld_so(ftpdctl_t)
libs_use_shared_libs(ftpdctl_t)
ifdef(`targeted_policy',`
term_use_generic_ptys(ftpdctl_t)
')
Reference in New Issue View Git Blame Copy Permalink