From fc6524d74663b35da5a1cca3f45c4cfde9456802 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 05 2005 19:52:53 +0000 Subject: add ftp --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index ee9935c..c79aa8c 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -5,6 +5,7 @@ - Added policies: anaconda dmidecode + ftp kudzu radvd diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 20affba..98573f3 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -16,6 +16,10 @@ gen_tunable(allow_execmod,false) ## Also requires allow_execmem. gen_tunable(allow_execstack,false) +## Allow ftp servers to modify public files +## used for public file transfer services. +gen_tunable(allow_ftpd_anon_write,false) + ## Allow gpg executable stack gen_tunable(allow_gpg_execstack,false) diff --git a/refpolicy/policy/modules/services/ftp.fc b/refpolicy/policy/modules/services/ftp.fc new file mode 100644 index 0000000..03057f3 --- /dev/null +++ b/refpolicy/policy/modules/services/ftp.fc @@ -0,0 +1,26 @@ +# +# /etc +# +/etc/proftpd\.conf -- context_template(system_u:object_r:ftpd_etc_t,s0) +/etc/cron\.monthly/proftpd -- context_template(system_u:object_r:ftpd_exec_t,s0) + +# +# /usr +# +/usr/kerberos/sbin/ftpd -- context_template(system_u:object_r:ftpd_exec_t,s0) + +/usr/sbin/ftpwho -- context_template(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/in\.ftpd -- context_template(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/muddleftpd -- context_template(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/proftpd -- context_template(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/vsftpd -- context_template(system_u:object_r:ftpd_exec_t,s0) + +# +# /var +# +/var/run/proftpd/proftpd-inetd -- context_template(system_u:object_r:ftpd_var_run_t,s0) +/var/run/proftpd/proftpd\.scoreboard -- context_template(system_u:object_r:ftpd_var_run_t,s0) + +/var/log/muddleftpd\.log.* -- context_template(system_u:object_r:xferlog_t,s0) +/var/log/xferlog.* -- context_template(system_u:object_r:xferlog_t,s0) +/var/log/xferreport.* -- context_template(system_u:object_r:xferlog_t,s0) diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if new file mode 100644 index 0000000..71042be --- /dev/null +++ b/refpolicy/policy/modules/services/ftp.if @@ -0,0 +1,70 @@ +## File transfer protocol service + +######################################## +## +## Use ftp by connecting over TCP. +## +## +## Domain allowed access. +## +# +interface(`ftp_tcp_connect',` + gen_require(` + type ftpd_t; + ') + + allow $1 ftpd_t:tcp_socket { connectto recvfrom }; + allow ftpd_t $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') + +######################################## +## +## Read ftpd etc files +## +## +## Domain allowed access. +## +# +interface(`ftp_read_config',` + gen_require(` + type ftpd_etc_t; + ') + + files_search_etc($1) + allow $1 ftpd_etc_t:file { getattr read }; +') + +######################################## +## +## Execute FTP daemon entry point programs. +## +## +## Domain allowed access. +## +# +interface(`ftp_check_exec',` + gen_require(` + type ftpd_exec_t; + ') + + corecmd_search_sbin($1) + allow $1 ftpd_exec_t:file x_file_perms; +') + +######################################## +## +## Read FTP transfer logs +## +## +## Domain allowed access. +## +# +interface(`ftp_read_log',` + gen_require(` + type xferlog_t; + ') + + logging_search_logs($1) + allow $1 xferlog_t:file r_file_perms; +') diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te new file mode 100644 index 0000000..e54b4ce --- /dev/null +++ b/refpolicy/policy/modules/services/ftp.te @@ -0,0 +1,199 @@ + +policy_module(ftp,1.0) + +######################################## +# +# Declarations +# + +type ftpd_t; +type ftpd_exec_t; +init_daemon_domain(ftpd_t,ftpd_exec_t) + +type ftpd_etc_t; +files_type(ftpd_etc_t) + +# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally +type ftpd_lock_t; +files_lock_file(ftpd_lock_t) + +type ftpd_tmp_t; +files_tmp_file(ftpd_tmp_t) + +type ftpd_tmpfs_t; +files_tmpfs_file(ftpd_tmpfs_t) + +type ftpd_var_run_t; +files_pid_file(ftpd_var_run_t) + +type xferlog_t; +logging_log_file(xferlog_t) + +######################################## +# +# Local policy +# + +allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; +dontaudit ftpd_t self:capability sys_tty_config; +allow ftpd_t self:process signal_perms; +allow ftpd_t self:process { getcap setcap setsched setrlimit }; +allow ftpd_t self:fifo_file rw_file_perms; +allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; +allow ftpd_t self:unix_stream_socket create_socket_perms; +allow ftpd_t self:tcp_socket create_stream_socket_perms; +allow ftpd_t self:udp_socket create_socket_perms; + +allow ftpd_t ftpd_etc_t:file { getattr read }; + +allow ftpd_t ftpd_tmp_t:dir create_dir_perms; +allow ftpd_t ftpd_tmp_t:file create_file_perms; +files_create_tmp_files(ftpd_t, ftpd_tmp_t, { file dir }) + +allow ftpd_t ftpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow ftpd_t ftpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow ftpd_t ftpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow ftpd_t ftpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; +allow ftpd_t ftpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +fs_create_tmpfs_data(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +# Create and modify /var/log/xferlog. +allow ftpd_t xferlog_t:file create_file_perms; +logging_create_log(ftpd_t,xferlog_t) + +kernel_read_kernel_sysctl(ftpd_t) +kernel_read_system_state(ftpd_t) + +dev_read_sysfs(ftpd_t) +dev_read_urand(ftpd_t) + +fs_search_auto_mountpoints(ftpd_t) +fs_getattr_all_fs(ftpd_t) + +corenet_tcp_sendrecv_all_if(ftpd_t) +corenet_udp_sendrecv_all_if(ftpd_t) +corenet_raw_sendrecv_all_if(ftpd_t) +corenet_tcp_sendrecv_all_nodes(ftpd_t) +corenet_udp_sendrecv_all_nodes(ftpd_t) +corenet_raw_sendrecv_all_nodes(ftpd_t) +corenet_tcp_sendrecv_all_ports(ftpd_t) +corenet_udp_sendrecv_all_ports(ftpd_t) +corenet_tcp_bind_all_nodes(ftpd_t) +corenet_udp_bind_all_nodes(ftpd_t) +corenet_tcp_bind_ftp_data_port(ftpd_t) +corenet_tcp_bind_generic_port(ftpd_t) +corenet_tcp_connect_all_ports(ftpd_t) + +term_dontaudit_use_console(ftpd_t) + +# Append to /var/log/wtmp. +auth_append_login_records(ftpd_t) +#kerberized ftp requires the following +auth_write_login_records(ftpd_t) + +corecmd_exec_bin(ftpd_t) +# Execute /bin/ls (can comment this out for proftpd) +# also may need rules to allow tar etc... +corecmd_exec_ls(ftpd_t) + +domain_use_wide_inherit_fd(ftpd_t) + +files_search_etc(ftpd_t) +files_read_etc_files(ftpd_t) +files_read_etc_runtime_files(ftpd_t) + +init_use_fd(ftpd_t) +init_use_script_pty(ftpd_t) + +libs_use_ld_so(ftpd_t) +libs_use_shared_libs(ftpd_t) + +logging_send_syslog_msg(ftpd_t) + +miscfiles_read_localization(ftpd_t) +miscfiles_read_public_files(ftpd_t) + +seutil_dontaudit_search_config(ftpd_t) + +sysnet_read_config(ftpd_t) + +userdom_dontaudit_search_sysadm_home_dir(ftpd_t) +userdom_dontaudit_use_unpriv_user_fd(ftpd_t) + +ifdef(`targeted_policy',` + files_dontaudit_read_root_file(ftpd_t) + + term_dontaudit_use_generic_pty(ftpd_t) + term_dontaudit_use_unallocated_tty(ftpd_t) +') + +tunable_policy(`allow_ftpd_anon_write',` + miscfiles_manage_public_files(ftpd_t) +') + +tunable_policy(`ftp_home_dir',` + # allow access to /home + files_getattr_home_dir(ftpd_t) + userdom_read_all_user_files(ftpd_t) + userdom_manage_all_user_dirs(ftpd_t) + userdom_manage_all_user_files(ftpd_t) + userdom_manage_all_user_symlinks(ftpd_t) +') + +tunable_policy(`ftpd_is_daemon',` + allow ftpd_t ftpd_lock_t:file create_file_perms; + files_create_lock(ftpd_t,ftpd_lock_t) + + corenet_tcp_bind_ftp_port(ftpd_t) +') + +tunable_policy(`use_nfs_home_dirs && ftp_home_dir',` + fs_read_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') + +tunable_policy(`use_samba_home_dirs && ftp_home_dir',` + fs_read_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) +') + +optional_policy(`crond.te', ` + corecmd_exec_shell(ftpd_t) + + files_read_usr_file(ftpd_t) + + cron_system_entry(ftpd_t, ftpd_exec_t) + + optional_policy(`logrotate.te',` + logrotate_exec(ftpd_t) + ') +') + +optional_policy(`inetd.te',` + if (!ftpd_is_daemon) { + #reh: typeattributes not allowed in conditionals yet. + #inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) + + optional_policy(`tcpd.te',` + tcpd_domtrans(tcpd_t) + ') + } +') + +optional_policy(`mount.te',` + mount_send_nfs_client_request(ftpd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(ftpd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(ftpd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(ftpd_t) +') +') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 25db7d4..7b439f4 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -209,6 +209,13 @@ tunable_policy(`run_ssh_inetd',` corenet_tcp_bind_ssh_port(inetd_t) ') +optional_policy(`ftp.te',` + tunable_policy(`ftpd_is_daemon',` + # Allows it to check exec privs on daemon + ftp_check_exec(inetd_t) + ') +') + optional_policy(`kerberos.te',` kerberos_use(inetd_child_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 5afaeea..c0c5095 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -734,6 +734,38 @@ interface(`auth_dontaudit_write_login_records',` ') ####################################### +## +## Append to login records (wtmp). +## +## +## Domain allowed access. +## +# +interface(`auth_append_login_records',` + gen_require(` + type wtmp_t; + ') + + allow $1 wtmp_t:file { getattr append }; +') + +####################################### +## +## Write to login records (wtmp). +## +## +## Domain allowed access. +## +# +interface(`auth_write_login_records',` + gen_require(` + type wtmp_t; + ') + + allow $1 wtmp_t:file { write lock }; +') + +####################################### # # auth_rw_login_records(domain) # diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index b9b6fc6..33f7bb8 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -557,6 +557,23 @@ interface(`init_udp_sendto_script',` ######################################## ## +## Allow the specified domain to connect to +## init scripts with a unix socket. +## +## +## Domain allowed access. +## +# +interface(`init_unix_connect_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:unix_stream_socket connectto; +') + +######################################## +## ## Read and write the init script pty. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 758f23a..55a87ef 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -313,6 +313,12 @@ template(`base_user_template',` dictd_use($1_t) ') + optional_policy(`ftp.te',` + tunable_policy(`ftpd_is_daemon',` + ftp_tcp_connect($1_t) + ') + ') + optional_policy(`inetd.te',` inetd_tcp_connect($1_t) ') @@ -1847,6 +1853,62 @@ interface(`userdom_read_all_user_files',` ######################################## ## +## Create, read, write, and delete all directories +## in all users home directories. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_manage_all_user_dirs',` + gen_require(` + attribute home_type; + ') + + files_list_home($1) + allow $1 home_type:dir create_dir_perms; +') + +######################################## +## +## Create, read, write, and delete all files +## in all users home directories. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_manage_all_user_files',` + gen_require(` + attribute home_type; + ') + + files_list_home($1) + allow $1 home_type:dir rw_dir_perms; + allow $1 home_type:file create_file_perms; +') + +######################################## +## +## Create, read, write, and delete all symlinks +## in all users home directories. +## +## +## The type of the process performing this action. +## +# +interface(`userdom_manage_all_user_symlinks',` + gen_require(` + attribute home_type; + ') + + files_list_home($1) + allow $1 home_type:dir rw_dir_perms; + allow $1 home_type:lnk_file create_lnk_perms; +') + +######################################## +## ## Send general signals to unprivileged user domains. ## ##