proftpd and ftpdctl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The recent update of proftpd in Extras to 1.3.0 has introduced a new feature, an "ftpdctl" program allowing some run-time control of the FTP daemon, somewhat akin to rndc with named. This needs new policy. Below is what's working for me:

===== proftpd.if =====
## <summary>FTP Daemon Control Program.</summary>

########################################
## <summary>
##      Execute the ftpdctl program in the ftpdctl domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`ftpdctl_domtrans',`
        gen_require(`
                type ftpdctl_t, ftpdctl_exec_t;
        ')

        corecmd_search_bin($1)
        domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)

        allow $1 ftpdctl_t:fd use;
        allow ftpdctl_t $1:fd use;
        allow ftpdctl_t $1:fifo_file rw_file_perms;
        allow ftpdctl_t $1:process sigchld;
')

===== proftpd.fc =====
/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)

===== proftpd.te =====
policy_module(proftpd, 0.4.0)

########################################
#
# Declarations
#

require {
        type ftpd_t;
        type ftpd_var_run_t;
        type xferlog_t;
};

# run ftpdctl in its own domain
type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t,ftpdctl_exec_t)
role system_r types ftpdctl_t;

# ftpdctl control sockets have their own domain
# When ftpdctl is run, it creates a socket in /tmp and then binds it
# to the control socket for the running proftpd server, usually at
# /var/run/proftpd/proftpd.sock
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)

########################################
#
# Local policy
#

# Temporary sockets created by ftpdctl are ftpdctl_tmp_t
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, { sock_file })

# Fixed in selinux-policy 2.2.29-6
#allow ftpd_t xferlog_t:dir { getattr search };

# Allow proftpd to read the routing table
allow ftpd_t self:netlink_route_socket { r_netlink_socket_perms };

# Allow proftpd to create and use a control socket (/var/run/proftpd/proftpd.sock)
allow ftpd_t self:unix_stream_socket listen;
allow ftpd_t ftpd_var_run_t:sock_file { create setattr unlink };

# Allow proftpd to remove temporary communications sockets created by ftpdctl
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };

# Transition to ftpdctl_t from unconfined_t
ftpdctl_domtrans(unconfined_t)
libs_use_ld_so(ftpdctl_t)
libs_use_shared_libs(ftpdctl_t)
term_use_generic_ptys(ftpdctl_t)

# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)

# Allow ftpdctl to create and use temporary sockets
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };

# Allow ftpdctl to talk to ftpd over a socket connection
allow ftpdctl_t ftpd_t:unix_stream_socket connectto;
allow ftpdctl_t ftpd_var_run_t:dir search;
allow ftpdctl_t ftpd_var_run_t:sock_file write;

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux