diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index ccf97043c..d63d86af2 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -71,6 +71,10 @@ gen_tunable(httpd_can_network_connect,false) ## Allow httpd cgi support gen_tunable(httpd_enable_cgi,false) +## Allow httpd to act as a FTP server by +## listening on the ftp port. +gen_tunable(httpd_enable_ftp_server,false) + ## Allow httpd to read home directories gen_tunable(httpd_enable_homedirs,false) diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index ba0b38596..03f5f29b8 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -344,6 +344,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint }; ') +tunable_policy(`httpd_enable_ftp_server',` + corenet_tcp_bind_ftp_port(httpd_t) +') + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t)