## Use ftp by connecting over TCP. (Deprecated)
@@ -115,9 +133,27 @@ interface(`ftp_run_ftpdctl',`
role $2 types ftpdctl_t;
')
+#######################################
+##
+## Allow domain dyntransition to sftpd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ftp_dyntrans_sftpd',`
+ gen_require(`
+ type sftpd_t;
+ ')
+
+ dyntrans_pattern($1, sftpd_t);
+')
+
########################################
##
-## All of the rules required to administrate
+## All of the rules required to administrate
## an ftp environment
##
##
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index b8ced87..114f0da 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp, 1.11.0)
+policy_module(ftp, 1.11.1)
########################################
#
@@ -17,7 +17,7 @@ gen_tunable(allow_ftpd_anon_write, false)
##
##
-## Allow ftp servers to login to local users and
+## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
##
##
@@ -46,6 +46,36 @@ gen_tunable(allow_ftpd_use_nfs, false)
##
gen_tunable(ftp_home_dir, false)
+##
+##
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+##
+##
+gen_tunable(sftpd_anon_write, false)
+
+##
+##
+## Allow sftp-internal to read and write files
+## in the user home directories
+##
+##
+gen_tunable(sftpd_enable_homedirs, false)
+
+##
+##
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+##
+##
+gen_tunable(sftpd_full_access, false)
+
+type anon_sftpd_t;
+typealias anon_sftpd_t alias sftpd_anon_t;
+domain_type(anon_sftpd_t)
+role system_r types anon_sftpd_t;
+
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t, ftpd_exec_t)
@@ -75,9 +105,30 @@ init_system_domain(ftpdctl_t, ftpdctl_exec_t)
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
type xferlog_t;
logging_log_file(xferlog_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# anon-sftp local policy
+#
+
+files_read_etc_files(anon_sftpd_t)
+
+miscfiles_read_public_files(anon_sftpd_t)
+
+tunable_policy(`sftpd_anon_write',`
+ miscfiles_manage_public_files(anon_sftpd_t)
+')
+
########################################
#
# ftpd local policy
@@ -85,13 +136,14 @@ logging_log_file(xferlog_t)
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
-allow ftpd_t self:process signal_perms;
-allow ftpd_t self:process { getcap setcap setsched setrlimit };
+allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
+allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
@@ -121,8 +173,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file manage_file_perms;
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
@@ -160,6 +211,7 @@ files_search_var_lib(ftpd_t)
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs(ftpd_t)
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -258,7 +310,10 @@ optional_policy(`
')
optional_policy(`
- kerberos_read_keytab(ftpd_t)
+ selinux_validate_context(ftpd_t)
+
+ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
')
optional_policy(`
@@ -270,6 +325,15 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(ftpd_t)
+
+ optional_policy(`
+ oddjob_dbus_chat(ftpd_t)
+ oddjob_domtrans_mkhomedir(ftpd_t)
+ ')
+')
+
+optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
@@ -294,3 +358,56 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
files_read_etc_files(ftpdctl_t)
userdom_use_user_terminals(ftpdctl_t)
+
+########################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+
+tunable_policy(`sftpd_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(sftpd_t)
+ userdom_manage_user_home_content_files(sftpd_t)
+ userdom_manage_user_home_content_dirs(sftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(sftpd_t)
+ fs_manage_nfs_files(sftpd_t)
+ fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_dirs(sftpd_t)
+ fs_manage_cifs_files(sftpd_t)
+ fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ # allow read access to /home by default
+ fs_list_cifs(sftpd_t)
+ fs_read_cifs_files(sftpd_t)
+ fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ # allow read access to /home by default
+ fs_list_nfs(sftpd_t)
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 56d4c5d..22ca011 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -39,6 +39,15 @@ define(`domtrans_pattern',`
')
#
+# Dynamic transition pattern
+#
+define(`dyntrans_pattern',`
+ allow $1 self:process setcurrent;
+ allow $1 $2:process dyntransition;
+ allow $2 $1:process sigchld;
+')
+
+#
# Other process permissions
#
define(`send_audit_msgs_pattern',`