8e633b70dd
This patch against version 20220106 removes the typealias rules that were in version 20210203. If we include this now then the typealias rules in question will have been there for 3 consecutive releases. But if you think we should wait until after the next release that's OK. It's obvious that this patch should be included sooner or later, I think now is a reasonable time. Signed-off-by: Russell Coker <russell@coker.com.au>
496 lines
12 KiB
Plaintext
496 lines
12 KiB
Plaintext
policy_module(ftp)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can modify
|
|
## public files used for public file
|
|
## transfer services. Directories/Files must
|
|
## be labeled public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can login to
|
|
## local users and can read and write
|
|
## all files on the system, governed by DAC.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_full_access, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can use CIFS
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_use_cifs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can use NFS
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ftpd_use_nfs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can connect to
|
|
## databases over the TCP network.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ftpd_connect_db, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can bind to all
|
|
## unreserved ports for passive mode.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ftpd_use_passive_mode, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can connect to
|
|
## all unreserved ports.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ftpd_connect_all_unreserved, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether ftpd can read and write
|
|
## files in user home directories.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(ftp_home_dir, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether sftpd can modify
|
|
## public files used for public file
|
|
## transfer services. Directories/Files must
|
|
## be labeled public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether sftpd-can read and write
|
|
## files in user home directories.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_enable_homedirs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether sftpd-can login to
|
|
## local users and read and write all
|
|
## files on the system, governed by DAC.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_full_access, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether sftpd can read and write
|
|
## files in user ssh home directories.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sftpd_write_ssh_home, false)
|
|
|
|
attribute_role ftpdctl_roles;
|
|
|
|
type anon_sftpd_t;
|
|
domain_type(anon_sftpd_t)
|
|
role system_r types anon_sftpd_t;
|
|
|
|
type ftpd_t;
|
|
type ftpd_exec_t;
|
|
init_daemon_domain(ftpd_t, ftpd_exec_t)
|
|
|
|
type ftpd_etc_t;
|
|
files_config_file(ftpd_etc_t)
|
|
|
|
type ftpd_initrc_exec_t;
|
|
init_script_file(ftpd_initrc_exec_t)
|
|
|
|
type ftpd_keytab_t;
|
|
files_type(ftpd_keytab_t)
|
|
|
|
type ftpd_lock_t;
|
|
files_lock_file(ftpd_lock_t)
|
|
|
|
type ftpd_runtime_t alias ftpd_var_run_t;
|
|
files_runtime_file(ftpd_runtime_t)
|
|
|
|
type ftpd_tmp_t;
|
|
files_tmp_file(ftpd_tmp_t)
|
|
|
|
type ftpd_tmpfs_t;
|
|
files_tmpfs_file(ftpd_tmpfs_t)
|
|
|
|
type ftpd_unit_t;
|
|
init_unit_file(ftpd_unit_t)
|
|
|
|
type ftpdctl_t;
|
|
type ftpdctl_exec_t;
|
|
init_system_domain(ftpdctl_t, ftpdctl_exec_t)
|
|
role ftpdctl_roles types ftpdctl_t;
|
|
|
|
type ftpdctl_tmp_t;
|
|
files_tmp_file(ftpdctl_tmp_t)
|
|
|
|
type sftpd_t;
|
|
domain_type(sftpd_t)
|
|
role system_r types sftpd_t;
|
|
|
|
type xferlog_t;
|
|
logging_log_file(xferlog_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource };
|
|
dontaudit ftpd_t self:capability sys_tty_config;
|
|
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
|
|
allow ftpd_t self:fifo_file rw_fifo_file_perms;
|
|
allow ftpd_t self:unix_dgram_socket sendto;
|
|
allow ftpd_t self:unix_stream_socket { accept listen };
|
|
allow ftpd_t self:tcp_socket { accept listen };
|
|
allow ftpd_t self:shm create_shm_perms;
|
|
allow ftpd_t self:key manage_key_perms;
|
|
|
|
allow ftpd_t ftpd_etc_t:file read_file_perms;
|
|
|
|
allow ftpd_t ftpd_keytab_t:file read_file_perms;
|
|
|
|
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
|
|
|
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
|
|
manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
|
|
manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
|
|
files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
|
|
|
|
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
|
|
|
|
allow ftpd_t xferlog_t:dir setattr_dir_perms;
|
|
append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
|
create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
|
setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
|
logging_log_filetrans(ftpd_t, xferlog_t, file)
|
|
|
|
kernel_read_kernel_sysctls(ftpd_t)
|
|
kernel_read_system_state(ftpd_t)
|
|
kernel_search_network_state(ftpd_t)
|
|
|
|
dev_read_sysfs(ftpd_t)
|
|
dev_read_urand(ftpd_t)
|
|
|
|
corecmd_exec_bin(ftpd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(ftpd_t)
|
|
corenet_tcp_sendrecv_generic_if(ftpd_t)
|
|
corenet_udp_sendrecv_generic_if(ftpd_t)
|
|
corenet_tcp_sendrecv_generic_node(ftpd_t)
|
|
corenet_udp_sendrecv_generic_node(ftpd_t)
|
|
corenet_tcp_bind_generic_node(ftpd_t)
|
|
|
|
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
|
corenet_tcp_bind_ftp_port(ftpd_t)
|
|
|
|
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
|
|
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
|
|
|
domain_use_interactive_fds(ftpd_t)
|
|
|
|
files_read_etc_files(ftpd_t)
|
|
files_read_etc_runtime_files(ftpd_t)
|
|
files_search_var_lib(ftpd_t)
|
|
|
|
fs_search_auto_mountpoints(ftpd_t)
|
|
fs_getattr_all_fs(ftpd_t)
|
|
fs_search_fusefs(ftpd_t)
|
|
|
|
auth_use_pam(ftpd_t)
|
|
auth_write_login_records(ftpd_t)
|
|
auth_rw_faillog(ftpd_t)
|
|
auth_manage_var_auth(ftpd_t)
|
|
|
|
init_rw_utmp(ftpd_t)
|
|
|
|
logging_send_audit_msgs(ftpd_t)
|
|
logging_send_syslog_msg(ftpd_t)
|
|
logging_set_loginuid(ftpd_t)
|
|
|
|
miscfiles_read_localization(ftpd_t)
|
|
miscfiles_read_public_files(ftpd_t)
|
|
|
|
seutil_dontaudit_search_config(ftpd_t)
|
|
|
|
sysnet_use_ldap(ftpd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
|
userdom_dontaudit_search_user_home_dirs(ftpd_t)
|
|
|
|
tunable_policy(`allow_ftpd_anon_write',`
|
|
miscfiles_manage_public_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_cifs',`
|
|
fs_read_cifs_files(ftpd_t)
|
|
fs_read_cifs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
|
|
fs_manage_cifs_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_nfs',`
|
|
fs_read_nfs_files(ftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
|
fs_manage_nfs_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_ftpd_full_access',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
files_manage_non_auth_files(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftpd_use_passive_mode',`
|
|
corenet_sendrecv_all_server_packets(ftpd_t)
|
|
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftpd_connect_all_unreserved',`
|
|
corenet_sendrecv_all_client_packets(ftpd_t)
|
|
corenet_tcp_connect_all_unreserved_ports(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftpd_connect_db',`
|
|
corenet_sendrecv_gds_db_client_packets(ftpd_t)
|
|
corenet_tcp_connect_gds_db_port(ftpd_t)
|
|
corenet_sendrecv_mssql_client_packets(ftpd_t)
|
|
corenet_tcp_connect_mssql_port(ftpd_t)
|
|
corenet_sendrecv_oracledb_client_packets(ftpd_t)
|
|
corenet_tcp_connect_oracledb_port(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
userdom_manage_user_home_content_dirs(ftpd_t)
|
|
userdom_manage_user_home_content_files(ftpd_t)
|
|
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
|
|
userdom_manage_user_tmp_dirs(ftpd_t)
|
|
userdom_manage_user_tmp_files(ftpd_t)
|
|
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
|
|
userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
|
|
',`
|
|
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
|
|
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
|
|
userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(ftpd_t)
|
|
fs_manage_nfs_files(ftpd_t)
|
|
fs_manage_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(ftpd_t)
|
|
fs_manage_cifs_files(ftpd_t)
|
|
fs_manage_cifs_symlinks(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`ftp_home_dir',`
|
|
apache_search_sys_content(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
corecmd_exec_shell(ftpd_t)
|
|
|
|
files_read_usr_files(ftpd_t)
|
|
|
|
cron_system_entry(ftpd_t, ftpd_exec_t)
|
|
|
|
optional_policy(`
|
|
logrotate_exec(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(ftpd_t, ftpd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fail2ban_read_lib_files(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
selinux_validate_context(ftpd_t)
|
|
|
|
kerberos_read_keytab(ftpd_t)
|
|
kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
|
|
kerberos_use(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(ftpd_t)
|
|
|
|
tunable_policy(`ftpd_connect_db',`
|
|
mysql_tcp_connect(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(ftpd_t)
|
|
|
|
tunable_policy(`ftpd_connect_db',`
|
|
postgresql_tcp_connect(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
|
|
|
|
optional_policy(`
|
|
tcpd_domtrans(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(ftpd_t)
|
|
|
|
optional_policy(`
|
|
oddjob_dbus_chat(ftpd_t)
|
|
oddjob_domtrans_mkhomedir(ftpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(ftpd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Ctl local policy
|
|
#
|
|
|
|
stream_connect_pattern(ftpdctl_t, ftpd_runtime_t, ftpd_runtime_t, ftpd_t)
|
|
|
|
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
|
|
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
|
|
|
files_read_etc_files(ftpdctl_t)
|
|
files_search_runtime(ftpdctl_t)
|
|
|
|
userdom_use_user_terminals(ftpdctl_t)
|
|
|
|
########################################
|
|
#
|
|
# Anon sftpd local policy
|
|
#
|
|
|
|
files_read_etc_files(anon_sftpd_t)
|
|
|
|
miscfiles_read_public_files(anon_sftpd_t)
|
|
|
|
tunable_policy(`sftpd_anon_write',`
|
|
miscfiles_manage_public_files(anon_sftpd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Sftpd local policy
|
|
#
|
|
|
|
files_read_etc_files(sftpd_t)
|
|
|
|
userdom_read_user_home_content_files(sftpd_t)
|
|
userdom_read_user_home_content_symlinks(sftpd_t)
|
|
|
|
tunable_policy(`sftpd_enable_homedirs',`
|
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
userdom_manage_user_home_content_dirs(sftpd_t)
|
|
userdom_manage_user_home_content_files(sftpd_t)
|
|
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
|
|
userdom_manage_user_tmp_dirs(sftpd_t)
|
|
userdom_manage_user_tmp_files(sftpd_t)
|
|
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
|
|
userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
|
|
',`
|
|
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
|
|
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
|
|
userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
|
|
')
|
|
|
|
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(sftpd_t)
|
|
fs_manage_nfs_files(sftpd_t)
|
|
fs_manage_nfs_symlinks(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(sftpd_t)
|
|
fs_manage_cifs_files(sftpd_t)
|
|
fs_manage_cifs_symlinks(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`sftpd_anon_write',`
|
|
miscfiles_manage_public_files(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`sftpd_full_access',`
|
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
|
fs_read_noxattr_fs_files(sftpd_t)
|
|
files_manage_non_auth_files(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_list_cifs(sftpd_t)
|
|
fs_read_cifs_files(sftpd_t)
|
|
fs_read_cifs_symlinks(sftpd_t)
|
|
')
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_list_nfs(sftpd_t)
|
|
fs_read_nfs_files(sftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`sftpd_write_ssh_home',`
|
|
ssh_manage_home_files(sftpd_t)
|
|
')
|
|
')
|