1 |
commit: 97a9a51432d185833b6094c0ecd74596a3132fba |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 1 10:26:16 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:07:21 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=97a9a514 |
7 |
|
8 |
Changes to the ftp module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Removed rules to allow ftpd_t to create content in /tmp with ftpd_tmp_t |
13 |
type as this should not be needed. Instead make sure that ftpd_t can |
14 |
create content on behalf of users in /tmp with the user_tmp_t |
15 |
conditionally. |
16 |
|
17 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
18 |
|
19 |
--- |
20 |
policy/modules/contrib/ftp.fc | 27 ++--- |
21 |
policy/modules/contrib/ftp.if | 49 ++++---- |
22 |
policy/modules/contrib/ftp.te | 275 ++++++++++++++++++++++++++-------------- |
23 |
3 files changed, 216 insertions(+), 135 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc |
26 |
index 69dcd2a..ddb75c1 100644 |
27 |
--- a/policy/modules/contrib/ftp.fc |
28 |
+++ b/policy/modules/contrib/ftp.fc |
29 |
@@ -1,14 +1,10 @@ |
30 |
-# |
31 |
-# /etc |
32 |
-# |
33 |
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) |
34 |
-/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) |
35 |
-/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) |
36 |
-/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) |
37 |
|
38 |
-# |
39 |
-# /usr |
40 |
-# |
41 |
+/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) |
42 |
+ |
43 |
+/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) |
44 |
+/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) |
45 |
+ |
46 |
/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0) |
47 |
|
48 |
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) |
49 |
@@ -19,13 +15,14 @@ |
50 |
/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) |
51 |
/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) |
52 |
|
53 |
-# |
54 |
-# /var |
55 |
-# |
56 |
-/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) |
57 |
+/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) |
58 |
+ |
59 |
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) |
60 |
+ |
61 |
+/var/lock/subsys/*.ftpd -- gen_context(system_u:object_r:ftpd_lock_t,s0) |
62 |
|
63 |
-/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) |
64 |
-/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) |
65 |
+/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) |
66 |
+/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) |
67 |
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) |
68 |
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) |
69 |
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) |
70 |
|
71 |
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if |
72 |
index 9d3201b..d062080 100644 |
73 |
--- a/policy/modules/contrib/ftp.if |
74 |
+++ b/policy/modules/contrib/ftp.if |
75 |
@@ -1,8 +1,8 @@ |
76 |
-## <summary>File transfer protocol service</summary> |
77 |
+## <summary>File transfer protocol service.</summary> |
78 |
|
79 |
####################################### |
80 |
## <summary> |
81 |
-## Allow domain dyntransition to sftpd_anon domain. |
82 |
+## Execute a dyntransition to run anon sftpd. |
83 |
## </summary> |
84 |
## <param name="domain"> |
85 |
## <summary> |
86 |
@@ -20,7 +20,7 @@ interface(`ftp_dyntrans_anon_sftpd',` |
87 |
|
88 |
######################################## |
89 |
## <summary> |
90 |
-## Use ftp by connecting over TCP. (Deprecated) |
91 |
+## Connect to over ftpd over TCP. (Deprecated) |
92 |
## </summary> |
93 |
## <param name="domain"> |
94 |
## <summary> |
95 |
@@ -34,7 +34,7 @@ interface(`ftp_tcp_connect',` |
96 |
|
97 |
######################################## |
98 |
## <summary> |
99 |
-## Read ftpd etc files |
100 |
+## Read ftpd configuration files. |
101 |
## </summary> |
102 |
## <param name="domain"> |
103 |
## <summary> |
104 |
@@ -67,12 +67,12 @@ interface(`ftp_check_exec',` |
105 |
') |
106 |
|
107 |
corecmd_search_bin($1) |
108 |
- allow $1 ftpd_exec_t:file { getattr execute }; |
109 |
+ allow $1 ftpd_exec_t:file mmap_file_perms; |
110 |
') |
111 |
|
112 |
######################################## |
113 |
## <summary> |
114 |
-## Read FTP transfer logs |
115 |
+## Read ftpd log files. |
116 |
## </summary> |
117 |
## <param name="domain"> |
118 |
## <summary> |
119 |
@@ -91,7 +91,7 @@ interface(`ftp_read_log',` |
120 |
|
121 |
######################################## |
122 |
## <summary> |
123 |
-## Execute the ftpdctl program in the ftpdctl domain. |
124 |
+## Execute the ftpdctl in the ftpdctl domain. |
125 |
## </summary> |
126 |
## <param name="domain"> |
127 |
## <summary> |
128 |
@@ -110,7 +110,9 @@ interface(`ftp_domtrans_ftpdctl',` |
129 |
|
130 |
######################################## |
131 |
## <summary> |
132 |
-## Execute the ftpdctl program in the ftpdctl domain. |
133 |
+## Execute the ftpdctl in the ftpdctl |
134 |
+## domain, and allow the specified |
135 |
+## role the ftpctl domain. |
136 |
## </summary> |
137 |
## <param name="domain"> |
138 |
## <summary> |
139 |
@@ -119,23 +121,23 @@ interface(`ftp_domtrans_ftpdctl',` |
140 |
## </param> |
141 |
## <param name="role"> |
142 |
## <summary> |
143 |
-## The role to allow the ftpdctl domain. |
144 |
+## Role allowed access. |
145 |
## </summary> |
146 |
## </param> |
147 |
## <rolecap/> |
148 |
# |
149 |
interface(`ftp_run_ftpdctl',` |
150 |
gen_require(` |
151 |
- type ftpdctl_t; |
152 |
+ attribute_role ftpdctl_roles; |
153 |
') |
154 |
|
155 |
ftp_domtrans_ftpdctl($1) |
156 |
- role $2 types ftpdctl_t; |
157 |
+ roleattribute $2 ftpdctl_roles; |
158 |
') |
159 |
|
160 |
####################################### |
161 |
## <summary> |
162 |
-## Allow domain dyntransition to sftpd domain. |
163 |
+## Execute a dyntransition to run sftpd. |
164 |
## </summary> |
165 |
## <param name="domain"> |
166 |
## <summary> |
167 |
@@ -153,8 +155,8 @@ interface(`ftp_dyntrans_sftpd',` |
168 |
|
169 |
######################################## |
170 |
## <summary> |
171 |
-## All of the rules required to administrate |
172 |
-## an ftp environment |
173 |
+## All of the rules required to |
174 |
+## administrate an ftp environment. |
175 |
## </summary> |
176 |
## <param name="domain"> |
177 |
## <summary> |
178 |
@@ -163,7 +165,7 @@ interface(`ftp_dyntrans_sftpd',` |
179 |
## </param> |
180 |
## <param name="role"> |
181 |
## <summary> |
182 |
-## The role to be allowed to manage the ftp domain. |
183 |
+## Role allowed access. |
184 |
## </summary> |
185 |
## </param> |
186 |
## <rolecap/> |
187 |
@@ -171,26 +173,23 @@ interface(`ftp_dyntrans_sftpd',` |
188 |
interface(`ftp_admin',` |
189 |
gen_require(` |
190 |
type ftpd_t, ftpdctl_t, ftpd_tmp_t; |
191 |
- type ftpd_etc_t, ftpd_lock_t; |
192 |
- type ftpd_var_run_t, xferlog_t; |
193 |
- type ftpd_initrc_exec_t; |
194 |
+ type ftpd_etc_t, ftpd_lock_t, sftpd_t; |
195 |
+ type ftpd_var_run_t, xferlog_t, anon_sftpd_t; |
196 |
+ type ftpd_initrc_exec_t, ftpdctl_tmp_t; |
197 |
') |
198 |
|
199 |
- allow $1 ftpd_t:process { ptrace signal_perms }; |
200 |
- ps_process_pattern($1, ftpd_t) |
201 |
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; |
202 |
+ ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) |
203 |
|
204 |
init_labeled_script_domtrans($1, ftpd_initrc_exec_t) |
205 |
domain_system_change_exemption($1) |
206 |
role_transition $2 ftpd_initrc_exec_t system_r; |
207 |
allow $2 system_r; |
208 |
|
209 |
- ps_process_pattern($1, ftpdctl_t) |
210 |
- ftp_run_ftpdctl($1, $2) |
211 |
- |
212 |
miscfiles_manage_public_files($1) |
213 |
|
214 |
files_list_tmp($1) |
215 |
- admin_pattern($1, ftpd_tmp_t) |
216 |
+ admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t }) |
217 |
|
218 |
files_list_etc($1) |
219 |
admin_pattern($1, ftpd_etc_t) |
220 |
@@ -203,4 +202,6 @@ interface(`ftp_admin',` |
221 |
|
222 |
logging_list_logs($1) |
223 |
admin_pattern($1, xferlog_t) |
224 |
+ |
225 |
+ ftp_run_ftpdctl($1, $2) |
226 |
') |
227 |
|
228 |
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te |
229 |
index 80026bb..e50f33c 100644 |
230 |
--- a/policy/modules/contrib/ftp.te |
231 |
+++ b/policy/modules/contrib/ftp.te |
232 |
@@ -1,4 +1,4 @@ |
233 |
-policy_module(ftp, 1.14.0) |
234 |
+policy_module(ftp, 1.14.1) |
235 |
|
236 |
######################################## |
237 |
# |
238 |
@@ -6,70 +6,109 @@ policy_module(ftp, 1.14.0) |
239 |
# |
240 |
|
241 |
## <desc> |
242 |
-## <p> |
243 |
-## Allow ftp servers to upload files, used for public file |
244 |
-## transfer services. Directories must be labeled |
245 |
-## public_content_rw_t. |
246 |
-## </p> |
247 |
+## <p> |
248 |
+## Determine whether ftpd can modify |
249 |
+## public files used for public file |
250 |
+## transfer services. Directories/Files must |
251 |
+## be labeled public_content_rw_t. |
252 |
+## </p> |
253 |
## </desc> |
254 |
gen_tunable(allow_ftpd_anon_write, false) |
255 |
|
256 |
## <desc> |
257 |
-## <p> |
258 |
-## Allow ftp servers to login to local users and |
259 |
-## read/write all files on the system, governed by DAC. |
260 |
-## </p> |
261 |
+## <p> |
262 |
+## Determine whether ftpd can login to |
263 |
+## local users and can read and write |
264 |
+## all files on the system, governed by DAC. |
265 |
+## </p> |
266 |
## </desc> |
267 |
gen_tunable(allow_ftpd_full_access, false) |
268 |
|
269 |
## <desc> |
270 |
-## <p> |
271 |
-## Allow ftp servers to use cifs |
272 |
-## used for public file transfer services. |
273 |
-## </p> |
274 |
+## <p> |
275 |
+## Determine whether ftpd can use CIFS |
276 |
+## used for public file transfer services. |
277 |
+## </p> |
278 |
## </desc> |
279 |
gen_tunable(allow_ftpd_use_cifs, false) |
280 |
|
281 |
## <desc> |
282 |
-## <p> |
283 |
-## Allow ftp servers to use nfs |
284 |
-## used for public file transfer services. |
285 |
-## </p> |
286 |
+## <p> |
287 |
+## Determine whether ftpd can use NFS |
288 |
+## used for public file transfer services. |
289 |
+## </p> |
290 |
## </desc> |
291 |
gen_tunable(allow_ftpd_use_nfs, false) |
292 |
|
293 |
## <desc> |
294 |
-## <p> |
295 |
-## Allow ftp to read and write files in the user home directories |
296 |
-## </p> |
297 |
+## <p> |
298 |
+## Determine whether ftpd can connect to |
299 |
+## databases over the TCP network. |
300 |
+## </p> |
301 |
+## </desc> |
302 |
+gen_tunable(ftpd_connect_db, false) |
303 |
+ |
304 |
+## <desc> |
305 |
+## <p> |
306 |
+## Determine whether ftpd can bind to all |
307 |
+## unreserved ports for passive mode. |
308 |
+## </p> |
309 |
+## </desc> |
310 |
+gen_tunable(ftpd_use_passive_mode, false) |
311 |
+ |
312 |
+## <desc> |
313 |
+## <p> |
314 |
+## Determine whether ftpd can connect to |
315 |
+## all unreserved ports. |
316 |
+## </p> |
317 |
+## </desc> |
318 |
+gen_tunable(ftpd_connect_all_unreserved, false) |
319 |
+ |
320 |
+## <desc> |
321 |
+## <p> |
322 |
+## Determine whether ftpd can read and write |
323 |
+## files in user home directories. |
324 |
+## </p> |
325 |
## </desc> |
326 |
gen_tunable(ftp_home_dir, false) |
327 |
|
328 |
## <desc> |
329 |
-## <p> |
330 |
-## Allow anon internal-sftp to upload files, used for |
331 |
-## public file transfer services. Directories must be labeled |
332 |
-## public_content_rw_t. |
333 |
-## </p> |
334 |
+## <p> |
335 |
+## Determine whether sftpd can modify |
336 |
+## public files used for public file |
337 |
+## transfer services. Directories/Files must |
338 |
+## be labeled public_content_rw_t. |
339 |
+## </p> |
340 |
## </desc> |
341 |
gen_tunable(sftpd_anon_write, false) |
342 |
|
343 |
## <desc> |
344 |
-## <p> |
345 |
-## Allow sftp-internal to read and write files |
346 |
-## in the user home directories |
347 |
-## </p> |
348 |
+## <p> |
349 |
+## Determine whether sftpd-can read and write |
350 |
+## files in user home directories. |
351 |
+## </p> |
352 |
## </desc> |
353 |
gen_tunable(sftpd_enable_homedirs, false) |
354 |
|
355 |
## <desc> |
356 |
-## <p> |
357 |
-## Allow sftp-internal to login to local users and |
358 |
-## read/write all files on the system, governed by DAC. |
359 |
-## </p> |
360 |
+## <p> |
361 |
+## Determine whether sftpd-can login to |
362 |
+## local users and read and write all |
363 |
+## files on the system, governed by DAC. |
364 |
+## </p> |
365 |
## </desc> |
366 |
gen_tunable(sftpd_full_access, false) |
367 |
|
368 |
+## <desc> |
369 |
+## <p> |
370 |
+## Determine whether sftpd can read and write |
371 |
+## files in user ssh home directories. |
372 |
+## </p> |
373 |
+## </desc> |
374 |
+gen_tunable(sftpd_write_ssh_home, false) |
375 |
+ |
376 |
+attribute_role ftpdctl_roles; |
377 |
+ |
378 |
type anon_sftpd_t; |
379 |
typealias anon_sftpd_t alias sftpd_anon_t; |
380 |
domain_type(anon_sftpd_t) |
381 |
@@ -100,6 +139,7 @@ files_pid_file(ftpd_var_run_t) |
382 |
type ftpdctl_t; |
383 |
type ftpdctl_exec_t; |
384 |
init_system_domain(ftpdctl_t, ftpdctl_exec_t) |
385 |
+role ftpdctl_roles types ftpdctl_t; |
386 |
|
387 |
type ftpdctl_tmp_t; |
388 |
files_tmp_file(ftpdctl_tmp_t) |
389 |
@@ -115,32 +155,22 @@ ifdef(`enable_mcs',` |
390 |
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) |
391 |
') |
392 |
|
393 |
-######################################## |
394 |
-# |
395 |
-# anon-sftp local policy |
396 |
-# |
397 |
- |
398 |
-files_read_etc_files(anon_sftpd_t) |
399 |
- |
400 |
-miscfiles_read_public_files(anon_sftpd_t) |
401 |
- |
402 |
-tunable_policy(`sftpd_anon_write',` |
403 |
- miscfiles_manage_public_files(anon_sftpd_t) |
404 |
+ifdef(`enable_mls',` |
405 |
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) |
406 |
') |
407 |
|
408 |
######################################## |
409 |
# |
410 |
-# ftpd local policy |
411 |
+# Local policy |
412 |
# |
413 |
|
414 |
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; |
415 |
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource }; |
416 |
dontaudit ftpd_t self:capability sys_tty_config; |
417 |
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; |
418 |
allow ftpd_t self:fifo_file rw_fifo_file_perms; |
419 |
-allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; |
420 |
-allow ftpd_t self:unix_stream_socket create_stream_socket_perms; |
421 |
-allow ftpd_t self:tcp_socket create_stream_socket_perms; |
422 |
-allow ftpd_t self:udp_socket create_socket_perms; |
423 |
+allow ftpd_t self:unix_dgram_socket sendto; |
424 |
+allow ftpd_t self:unix_stream_socket { accept listen }; |
425 |
+allow ftpd_t self:tcp_socket { accept listen }; |
426 |
allow ftpd_t self:shm create_shm_perms; |
427 |
allow ftpd_t self:key manage_key_perms; |
428 |
|
429 |
@@ -149,10 +179,6 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; |
430 |
allow ftpd_t ftpd_lock_t:file manage_file_perms; |
431 |
files_lock_filetrans(ftpd_t, ftpd_lock_t, file) |
432 |
|
433 |
-manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) |
434 |
-manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) |
435 |
-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) |
436 |
- |
437 |
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) |
438 |
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) |
439 |
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) |
440 |
@@ -163,16 +189,14 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file |
441 |
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) |
442 |
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) |
443 |
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) |
444 |
-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) |
445 |
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) |
446 |
|
447 |
-# proftpd requires the client side to bind a socket so that |
448 |
-# it can stat the socket to perform access control decisions, |
449 |
-# since getsockopt with SO_PEERCRED is not available on all |
450 |
-# proftpd-supported OSs |
451 |
-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; |
452 |
+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; |
453 |
|
454 |
-# Create and modify /var/log/xferlog. |
455 |
-manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) |
456 |
+allow ftpd_t xferlog_t:dir setattr_dir_perms; |
457 |
+append_files_pattern(ftpd_t, xferlog_t, xferlog_t) |
458 |
+create_files_pattern(ftpd_t, xferlog_t, xferlog_t) |
459 |
+setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t) |
460 |
logging_log_filetrans(ftpd_t, xferlog_t, file) |
461 |
|
462 |
kernel_read_kernel_sysctls(ftpd_t) |
463 |
@@ -193,17 +217,15 @@ corenet_udp_sendrecv_generic_node(ftpd_t) |
464 |
corenet_tcp_sendrecv_all_ports(ftpd_t) |
465 |
corenet_udp_sendrecv_all_ports(ftpd_t) |
466 |
corenet_tcp_bind_generic_node(ftpd_t) |
467 |
+ |
468 |
+corenet_sendrecv_ftp_server_packets(ftpd_t) |
469 |
corenet_tcp_bind_ftp_port(ftpd_t) |
470 |
+ |
471 |
+corenet_sendrecv_ftp_data_server_packets(ftpd_t) |
472 |
corenet_tcp_bind_ftp_data_port(ftpd_t) |
473 |
-corenet_tcp_bind_generic_port(ftpd_t) |
474 |
-corenet_tcp_bind_all_unreserved_ports(ftpd_t) |
475 |
-corenet_dontaudit_tcp_bind_all_ports(ftpd_t) |
476 |
-corenet_tcp_connect_all_ports(ftpd_t) |
477 |
-corenet_sendrecv_ftp_server_packets(ftpd_t) |
478 |
|
479 |
domain_use_interactive_fds(ftpd_t) |
480 |
|
481 |
-files_search_etc(ftpd_t) |
482 |
files_read_etc_files(ftpd_t) |
483 |
files_read_etc_runtime_files(ftpd_t) |
484 |
files_search_var_lib(ftpd_t) |
485 |
@@ -212,13 +234,10 @@ fs_search_auto_mountpoints(ftpd_t) |
486 |
fs_getattr_all_fs(ftpd_t) |
487 |
fs_search_fusefs(ftpd_t) |
488 |
|
489 |
-auth_use_nsswitch(ftpd_t) |
490 |
-auth_domtrans_chk_passwd(ftpd_t) |
491 |
-# Append to /var/log/wtmp. |
492 |
-auth_append_login_records(ftpd_t) |
493 |
-#kerberized ftp requires the following |
494 |
+auth_use_pam(ftpd_t) |
495 |
auth_write_login_records(ftpd_t) |
496 |
auth_rw_faillog(ftpd_t) |
497 |
+auth_manage_var_auth(ftpd_t) |
498 |
|
499 |
init_rw_utmp(ftpd_t) |
500 |
|
501 |
@@ -231,7 +250,6 @@ miscfiles_read_public_files(ftpd_t) |
502 |
|
503 |
seutil_dontaudit_search_config(ftpd_t) |
504 |
|
505 |
-sysnet_read_config(ftpd_t) |
506 |
sysnet_use_ldap(ftpd_t) |
507 |
|
508 |
userdom_dontaudit_use_unpriv_user_fds(ftpd_t) |
509 |
@@ -264,26 +282,52 @@ tunable_policy(`allow_ftpd_full_access',` |
510 |
files_manage_non_auth_files(ftpd_t) |
511 |
') |
512 |
|
513 |
+tunable_policy(`ftpd_use_passive_mode',` |
514 |
+ corenet_sendrecv_all_server_packets(ftpd_t) |
515 |
+ corenet_tcp_bind_all_unreserved_ports(ftpd_t) |
516 |
+') |
517 |
+ |
518 |
+tunable_policy(`ftpd_connect_all_unreserved',` |
519 |
+ corenet_sendrecv_all_client_packets(ftpd_t) |
520 |
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t) |
521 |
+') |
522 |
+ |
523 |
+tunable_policy(`ftpd_connect_db',` |
524 |
+ corenet_sendrecv_gds_db_client_packets(ftpd_t) |
525 |
+ corenet_tcp_connect_gds_db_port(ftpd_t) |
526 |
+ corenet_tcp_sendrecv_gds_db_port(ftpd_t) |
527 |
+ corenet_sendrecv_mssql_client_packets(ftpd_t) |
528 |
+ corenet_tcp_connect_mssql_port(ftpd_t) |
529 |
+ corenet_tcp_sendrecv_mssql_port(ftpd_t) |
530 |
+ corenet_sendrecv_oracledb_client_packets(ftpd_t) |
531 |
+ corenet_tcp_connect_oracledb_port(ftpd_t) |
532 |
+ corenet_tcp_sendrecv_oracledb_port(ftpd_t) |
533 |
+') |
534 |
+ |
535 |
tunable_policy(`ftp_home_dir',` |
536 |
allow ftpd_t self:capability { dac_override dac_read_search }; |
537 |
|
538 |
- # allow access to /home |
539 |
- files_list_home(ftpd_t) |
540 |
- userdom_read_user_home_content_files(ftpd_t) |
541 |
userdom_manage_user_home_content_dirs(ftpd_t) |
542 |
userdom_manage_user_home_content_files(ftpd_t) |
543 |
- userdom_manage_user_home_content_symlinks(ftpd_t) |
544 |
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) |
545 |
+ userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) |
546 |
+ userdom_manage_user_tmp_dirs(ftpd_t) |
547 |
+ userdom_manage_user_tmp_files(ftpd_t) |
548 |
+ userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) |
549 |
+',` |
550 |
+ userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) |
551 |
+ userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) |
552 |
') |
553 |
|
554 |
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` |
555 |
+ fs_manage_nfs_dirs(ftpd_t) |
556 |
fs_manage_nfs_files(ftpd_t) |
557 |
- fs_read_nfs_symlinks(ftpd_t) |
558 |
+ fs_manage_nfs_symlinks(ftpd_t) |
559 |
') |
560 |
|
561 |
tunable_policy(`ftp_home_dir && use_samba_home_dirs',` |
562 |
+ fs_manage_cifs_dirs(ftpd_t) |
563 |
fs_manage_cifs_files(ftpd_t) |
564 |
- fs_read_cifs_symlinks(ftpd_t) |
565 |
+ fs_manage_cifs_symlinks(ftpd_t) |
566 |
') |
567 |
|
568 |
optional_policy(` |
569 |
@@ -309,10 +353,30 @@ optional_policy(` |
570 |
') |
571 |
|
572 |
optional_policy(` |
573 |
+ fail2ban_read_lib_files(ftpd_t) |
574 |
+') |
575 |
+ |
576 |
+optional_policy(` |
577 |
selinux_validate_context(ftpd_t) |
578 |
|
579 |
kerberos_keytab_template(ftpd, ftpd_t) |
580 |
- kerberos_manage_host_rcache(ftpd_t) |
581 |
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") |
582 |
+') |
583 |
+ |
584 |
+optional_policy(` |
585 |
+ mysql_stream_connect(ftpd_t) |
586 |
+ |
587 |
+ tunable_policy(`ftpd_connect_db',` |
588 |
+ mysql_tcp_connect(ftpd_t) |
589 |
+ ') |
590 |
+') |
591 |
+ |
592 |
+optional_policy(` |
593 |
+ postgresql_stream_connect(ftpd_t) |
594 |
+ |
595 |
+ tunable_policy(`ftpd_connect_db',` |
596 |
+ postgresql_tcp_connect(ftpd_t) |
597 |
+ ') |
598 |
') |
599 |
|
600 |
optional_policy(` |
601 |
@@ -342,41 +406,54 @@ optional_policy(` |
602 |
|
603 |
######################################## |
604 |
# |
605 |
-# ftpdctl local policy |
606 |
+# Ctl local policy |
607 |
# |
608 |
|
609 |
-# Allow ftpdctl to talk to ftpd over a socket connection |
610 |
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) |
611 |
|
612 |
-# ftpdctl creates a socket so that the daemon can perform |
613 |
-# access control decisions (see comments in ftpd_t rules above) |
614 |
-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; |
615 |
+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; |
616 |
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) |
617 |
|
618 |
-# Allow ftpdctl to read config files |
619 |
files_read_etc_files(ftpdctl_t) |
620 |
+files_search_pids(ftpdctl_t) |
621 |
|
622 |
userdom_use_user_terminals(ftpdctl_t) |
623 |
|
624 |
######################################## |
625 |
# |
626 |
-# sftpd local policy |
627 |
+# Anon sftpd local policy |
628 |
+# |
629 |
+ |
630 |
+files_read_etc_files(anon_sftpd_t) |
631 |
+ |
632 |
+miscfiles_read_public_files(anon_sftpd_t) |
633 |
+ |
634 |
+tunable_policy(`sftpd_anon_write',` |
635 |
+ miscfiles_manage_public_files(anon_sftpd_t) |
636 |
+') |
637 |
+ |
638 |
+######################################## |
639 |
+# |
640 |
+# Sftpd local policy |
641 |
# |
642 |
|
643 |
files_read_etc_files(sftpd_t) |
644 |
|
645 |
-# allow read access to /home by default |
646 |
userdom_read_user_home_content_files(sftpd_t) |
647 |
userdom_read_user_home_content_symlinks(sftpd_t) |
648 |
|
649 |
tunable_policy(`sftpd_enable_homedirs',` |
650 |
allow sftpd_t self:capability { dac_override dac_read_search }; |
651 |
|
652 |
- # allow access to /home |
653 |
- files_list_home(sftpd_t) |
654 |
- userdom_manage_user_home_content_files(sftpd_t) |
655 |
userdom_manage_user_home_content_dirs(sftpd_t) |
656 |
+ userdom_manage_user_home_content_files(sftpd_t) |
657 |
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) |
658 |
+ userdom_manage_user_tmp_dirs(sftpd_t) |
659 |
+ userdom_manage_user_tmp_files(sftpd_t) |
660 |
+ userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) |
661 |
+',` |
662 |
+ userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) |
663 |
+ userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) |
664 |
') |
665 |
|
666 |
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` |
667 |
@@ -391,21 +468,27 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` |
668 |
fs_manage_cifs_symlinks(sftpd_t) |
669 |
') |
670 |
|
671 |
+tunable_policy(`sftpd_anon_write',` |
672 |
+ miscfiles_manage_public_files(sftpd_t) |
673 |
+') |
674 |
+ |
675 |
tunable_policy(`sftpd_full_access',` |
676 |
allow sftpd_t self:capability { dac_override dac_read_search }; |
677 |
fs_read_noxattr_fs_files(sftpd_t) |
678 |
files_manage_non_auth_files(sftpd_t) |
679 |
') |
680 |
|
681 |
+tunable_policy(`sftpd_write_ssh_home',` |
682 |
+ ssh_manage_home_files(sftpd_t) |
683 |
+') |
684 |
+ |
685 |
tunable_policy(`use_samba_home_dirs',` |
686 |
- # allow read access to /home by default |
687 |
fs_list_cifs(sftpd_t) |
688 |
fs_read_cifs_files(sftpd_t) |
689 |
fs_read_cifs_symlinks(sftpd_t) |
690 |
') |
691 |
|
692 |
tunable_policy(`use_nfs_home_dirs',` |
693 |
- # allow read access to /home by default |
694 |
fs_list_nfs(sftpd_t) |
695 |
fs_read_nfs_files(sftpd_t) |
696 |
fs_read_nfs_symlinks(ftpd_t) |