The recent update of proftpd in Extras to 1.3.0 has introduced a new
feature, an "ftpdctl" program allowing some run-time control of the FTP
daemon, somewhat akin to rndc with named. This needs new policy. Below
is what's working for me:
===== proftpd.if =====
## <summary>FTP Daemon Control Program.</summary>
########################################
## <summary>
## Execute the ftpdctl program in the ftpdctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftpdctl_domtrans',`
gen_require(`
type ftpdctl_t, ftpdctl_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)
allow $1 ftpdctl_t:fd use;
allow ftpdctl_t $1:fd use;
allow ftpdctl_t $1:fifo_file rw_file_perms;
allow ftpdctl_t $1:process sigchld;
')
===== proftpd.fc =====
/usr/bin/ftpdctl --
gen_context(system_u:object_r:ftpdctl_exec_t,s0)
===== proftpd.te =====
policy_module(proftpd, 0.4.0)
########################################
#
# Declarations
#
require {
type ftpd_t;
type ftpd_var_run_t;
type xferlog_t;
};
# run ftpdctl in its own domain
type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t,ftpdctl_exec_t)
role system_r types ftpdctl_t;
# ftpdctl control sockets have their own domain
# When ftpdctl is run, it creates a socket in /tmp and then binds it
# to the control socket for the running proftpd server, usually at
# /var/run/proftpd/proftpd.sock
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
########################################
#
# Local policy
#
# Temporary sockets created by ftpdctl are ftpdctl_tmp_t
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, { sock_file })
# Fixed in selinux-policy 2.2.29-6
#allow ftpd_t xferlog_t:dir { getattr search };
# Allow proftpd to read the routing table
allow ftpd_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow proftpd to create and use a control socket
(/var/run/proftpd/proftpd.sock)
allow ftpd_t self:unix_stream_socket listen;
allow ftpd_t ftpd_var_run_t:sock_file { create setattr unlink };
# Allow proftpd to remove temporary communications sockets created by
ftpdctl
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Transition to ftpdctl_t from unconfined_t
ftpdctl_domtrans(unconfined_t)
libs_use_ld_so(ftpdctl_t)
libs_use_shared_libs(ftpdctl_t)
term_use_generic_ptys(ftpdctl_t)
# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)
# Allow ftpdctl to create and use temporary sockets
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
# Allow ftpdctl to talk to ftpd over a socket connection
allow ftpdctl_t ftpd_t:unix_stream_socket connectto;
allow ftpdctl_t ftpd_var_run_t:dir search;
allow ftpdctl_t ftpd_var_run_t:sock_file write;
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
