diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc index 21e9db8..69dcd2a 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc @@ -22,7 +22,7 @@ # # /var # -/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0) +/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 44fe88a..dfa52fd 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -1,5 +1,23 @@ ## File transfer protocol service +####################################### +## +## Allow domain dyntransition to sftpd_anon domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_dyntrans_anon_sftpd',` + gen_require(` + type anon_sftpd_t; + ') + + dyntrans_pattern($1, anon_sftpd_t); +') + ######################################## ## ## Use ftp by connecting over TCP. (Deprecated) @@ -115,9 +133,27 @@ interface(`ftp_run_ftpdctl',` role $2 types ftpdctl_t; ') +####################################### +## +## Allow domain dyntransition to sftpd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_dyntrans_sftpd',` + gen_require(` + type sftpd_t; + ') + + dyntrans_pattern($1, sftpd_t); +') + ######################################## ## -## All of the rules required to administrate +## All of the rules required to administrate ## an ftp environment ## ## diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index b8ced87..114f0da 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp, 1.11.0) +policy_module(ftp, 1.11.1) ######################################## # @@ -17,7 +17,7 @@ gen_tunable(allow_ftpd_anon_write, false) ## ##

-## Allow ftp servers to login to local users and +## Allow ftp servers to login to local users and ## read/write all files on the system, governed by DAC. ##

##
@@ -46,6 +46,36 @@ gen_tunable(allow_ftpd_use_nfs, false) ## gen_tunable(ftp_home_dir, false) +## +##

+## Allow anon internal-sftp to upload files, used for +## public file transfer services. Directories must be labeled +## public_content_rw_t. +##

+##
+gen_tunable(sftpd_anon_write, false) + +## +##

+## Allow sftp-internal to read and write files +## in the user home directories +##

+##
+gen_tunable(sftpd_enable_homedirs, false) + +## +##

+## Allow sftp-internal to login to local users and +## read/write all files on the system, governed by DAC. +##

+##
+gen_tunable(sftpd_full_access, false) + +type anon_sftpd_t; +typealias anon_sftpd_t alias sftpd_anon_t; +domain_type(anon_sftpd_t) +role system_r types anon_sftpd_t; + type ftpd_t; type ftpd_exec_t; init_daemon_domain(ftpd_t, ftpd_exec_t) @@ -75,9 +105,30 @@ init_system_domain(ftpdctl_t, ftpdctl_exec_t) type ftpdctl_tmp_t; files_tmp_file(ftpdctl_tmp_t) +type sftpd_t; +domain_type(sftpd_t) +role system_r types sftpd_t; + type xferlog_t; logging_log_file(xferlog_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# anon-sftp local policy +# + +files_read_etc_files(anon_sftpd_t) + +miscfiles_read_public_files(anon_sftpd_t) + +tunable_policy(`sftpd_anon_write',` + miscfiles_manage_public_files(anon_sftpd_t) +') + ######################################## # # ftpd local policy @@ -85,13 +136,14 @@ logging_log_file(xferlog_t) allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; -allow ftpd_t self:process signal_perms; -allow ftpd_t self:process { getcap setcap setsched setrlimit }; +allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; +allow ftpd_t self:shm create_shm_perms; +allow ftpd_t self:key manage_key_perms; allow ftpd_t ftpd_etc_t:file read_file_perms; @@ -121,8 +173,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; # Create and modify /var/log/xferlog. -allow ftpd_t xferlog_t:dir search_dir_perms; -allow ftpd_t xferlog_t:file manage_file_perms; +manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) @@ -160,6 +211,7 @@ files_search_var_lib(ftpd_t) fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) +fs_search_fusefs(ftpd_t) auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) @@ -258,7 +310,10 @@ optional_policy(` ') optional_policy(` - kerberos_read_keytab(ftpd_t) + selinux_validate_context(ftpd_t) + + kerberos_keytab_template(ftpd, ftpd_t) + kerberos_manage_host_rcache(ftpd_t) ') optional_policy(` @@ -270,6 +325,15 @@ optional_policy(` ') optional_policy(` + dbus_system_bus_client(ftpd_t) + + optional_policy(` + oddjob_dbus_chat(ftpd_t) + oddjob_domtrans_mkhomedir(ftpd_t) + ') +') + +optional_policy(` seutil_sigchld_newrole(ftpd_t) ') @@ -294,3 +358,56 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) files_read_etc_files(ftpdctl_t) userdom_use_user_terminals(ftpdctl_t) + +######################################## +# +# sftpd local policy +# + +files_read_etc_files(sftpd_t) + +# allow read access to /home by default +userdom_read_user_home_content_files(sftpd_t) +userdom_read_user_home_content_symlinks(sftpd_t) + +tunable_policy(`sftpd_enable_homedirs',` + allow sftpd_t self:capability { dac_override dac_read_search }; + + # allow access to /home + files_list_home(sftpd_t) + userdom_manage_user_home_content_files(sftpd_t) + userdom_manage_user_home_content_dirs(sftpd_t) + userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) +') + +tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` + fs_manage_nfs_dirs(sftpd_t) + fs_manage_nfs_files(sftpd_t) + fs_manage_nfs_symlinks(sftpd_t) +') + +tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` + fs_manage_cifs_dirs(sftpd_t) + fs_manage_cifs_files(sftpd_t) + fs_manage_cifs_symlinks(sftpd_t) +') + +tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) + auth_manage_all_files_except_shadow(sftpd_t) +') + +tunable_policy(`use_samba_home_dirs',` + # allow read access to /home by default + fs_list_cifs(sftpd_t) + fs_read_cifs_files(sftpd_t) + fs_read_cifs_symlinks(sftpd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + # allow read access to /home by default + fs_list_nfs(sftpd_t) + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index 56d4c5d..22ca011 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -39,6 +39,15 @@ define(`domtrans_pattern',` ') # +# Dynamic transition pattern +# +define(`dyntrans_pattern',` + allow $1 self:process setcurrent; + allow $1 $2:process dyntransition; + allow $2 $1:process sigchld; +') + +# # Other process permissions # define(`send_audit_msgs_pattern',`