Paul Howarth wrote:
The recent update of proftpd in Extras to 1.3.0 has introduced a new feature, an "ftpdctl" program allowing some run-time control of the FTP daemon, somewhat akin to rndc with named. This needs new policy. Below is what's working for me:
You should submit this for acceptance in the upstream policy package. It will probably get rolled into the ftp policy package.
You should submit updates to "Christopher J. PeBenito" cpebenito@tresys.com
===== proftpd.if ===== ## <summary>FTP Daemon Control Program.</summary>
######################################## ## <summary> ## Execute the ftpdctl program in the ftpdctl domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ftpdctl_domtrans',` gen_require(` type ftpdctl_t, ftpdctl_exec_t; ')
corecmd_search_bin($1) domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t) allow $1 ftpdctl_t:fd use; allow ftpdctl_t $1:fd use; allow ftpdctl_t $1:fifo_file rw_file_perms; allow ftpdctl_t $1:process sigchld;
')
===== proftpd.fc ===== /usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
===== proftpd.te ===== policy_module(proftpd, 0.4.0)
######################################## # # Declarations #
require { type ftpd_t; type ftpd_var_run_t; type xferlog_t; };
# run ftpdctl in its own domain type ftpdctl_t; type ftpdctl_exec_t; init_system_domain(ftpdctl_t,ftpdctl_exec_t) role system_r types ftpdctl_t;
# ftpdctl control sockets have their own domain # When ftpdctl is run, it creates a socket in /tmp and then binds it # to the control socket for the running proftpd server, usually at # /var/run/proftpd/proftpd.sock type ftpdctl_tmp_t; files_tmp_file(ftpdctl_tmp_t)
######################################## # # Local policy #
# Temporary sockets created by ftpdctl are ftpdctl_tmp_t files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, { sock_file })
# Fixed in selinux-policy 2.2.29-6 #allow ftpd_t xferlog_t:dir { getattr search };
# Allow proftpd to read the routing table allow ftpd_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow proftpd to create and use a control socket (/var/run/proftpd/proftpd.sock) allow ftpd_t self:unix_stream_socket listen; allow ftpd_t ftpd_var_run_t:sock_file { create setattr unlink };
# Allow proftpd to remove temporary communications sockets created by ftpdctl allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Transition to ftpdctl_t from unconfined_t ftpdctl_domtrans(unconfined_t) libs_use_ld_so(ftpdctl_t) libs_use_shared_libs(ftpdctl_t) term_use_generic_ptys(ftpdctl_t)
# Allow ftpdctl to read config files files_read_etc_files(ftpdctl_t)
# Allow ftpdctl to create and use temporary sockets allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
# Allow ftpdctl to talk to ftpd over a socket connection allow ftpdctl_t ftpd_t:unix_stream_socket connectto; allow ftpdctl_t ftpd_var_run_t:dir search; allow ftpdctl_t ftpd_var_run_t:sock_file write;
Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list