From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C6CFB138010 for ; Tue, 2 Oct 2012 18:24:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9DFE621C02E; Tue, 2 Oct 2012 18:11:23 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 5935321C01D for ; Tue, 2 Oct 2012 18:11:18 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 46AF133D77F for ; Tue, 2 Oct 2012 18:11:05 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 762EBE5457 for ; Tue, 2 Oct 2012 18:11:01 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201241.97a9a51432d185833b6094c0ecd74596a3132fba.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/ftp.fc policy/modules/contrib/ftp.if policy/modules/contrib/ftp.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 97a9a51432d185833b6094c0ecd74596a3132fba X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:11:01 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 1f096863-f36a-4dda-b307-c9f7458f082b X-Archives-Hash: 90707c598b170f4c7c7a7c1100fbe317 commit: 97a9a51432d185833b6094c0ecd74596a3132fba Author: Dominick Grift gmail com> AuthorDate: Mon Oct 1 10:26:16 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:07:21 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=97a9a514 Changes to the ftp module Ported from Fedora with changes Removed rules to allow ftpd_t to create content in /tmp with ftpd_tmp_t type as this should not be needed. Instead make sure that ftpd_t can create content on behalf of users in /tmp with the user_tmp_t conditionally. Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/ftp.fc | 27 ++--- policy/modules/contrib/ftp.if | 49 ++++---- policy/modules/contrib/ftp.te | 275 ++++++++++++++++++++++++++-------------- 3 files changed, 216 insertions(+), 135 deletions(-) diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc index 69dcd2a..ddb75c1 100644 --- a/policy/modules/contrib/ftp.fc +++ b/policy/modules/contrib/ftp.fc @@ -1,14 +1,10 @@ -# -# /etc -# /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) -/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) -# -# /usr -# +/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) + /usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0) /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) @@ -19,13 +15,14 @@ /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -# -# /var -# -/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) +/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) + +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) + +/var/lock/subsys/*.ftpd -- gen_context(system_u:object_r:ftpd_lock_t,s0) -/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) +/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if index 9d3201b..d062080 100644 --- a/policy/modules/contrib/ftp.if +++ b/policy/modules/contrib/ftp.if @@ -1,8 +1,8 @@ -## File transfer protocol service +## File transfer protocol service. ####################################### ## -## Allow domain dyntransition to sftpd_anon domain. +## Execute a dyntransition to run anon sftpd. ## ## ## @@ -20,7 +20,7 @@ interface(`ftp_dyntrans_anon_sftpd',` ######################################## ## -## Use ftp by connecting over TCP. (Deprecated) +## Connect to over ftpd over TCP. (Deprecated) ## ## ## @@ -34,7 +34,7 @@ interface(`ftp_tcp_connect',` ######################################## ## -## Read ftpd etc files +## Read ftpd configuration files. ## ## ## @@ -67,12 +67,12 @@ interface(`ftp_check_exec',` ') corecmd_search_bin($1) - allow $1 ftpd_exec_t:file { getattr execute }; + allow $1 ftpd_exec_t:file mmap_file_perms; ') ######################################## ## -## Read FTP transfer logs +## Read ftpd log files. ## ## ## @@ -91,7 +91,7 @@ interface(`ftp_read_log',` ######################################## ## -## Execute the ftpdctl program in the ftpdctl domain. +## Execute the ftpdctl in the ftpdctl domain. ## ## ## @@ -110,7 +110,9 @@ interface(`ftp_domtrans_ftpdctl',` ######################################## ## -## Execute the ftpdctl program in the ftpdctl domain. +## Execute the ftpdctl in the ftpdctl +## domain, and allow the specified +## role the ftpctl domain. ## ## ## @@ -119,23 +121,23 @@ interface(`ftp_domtrans_ftpdctl',` ## ## ## -## The role to allow the ftpdctl domain. +## Role allowed access. ## ## ## # interface(`ftp_run_ftpdctl',` gen_require(` - type ftpdctl_t; + attribute_role ftpdctl_roles; ') ftp_domtrans_ftpdctl($1) - role $2 types ftpdctl_t; + roleattribute $2 ftpdctl_roles; ') ####################################### ## -## Allow domain dyntransition to sftpd domain. +## Execute a dyntransition to run sftpd. ## ## ## @@ -153,8 +155,8 @@ interface(`ftp_dyntrans_sftpd',` ######################################## ## -## All of the rules required to administrate -## an ftp environment +## All of the rules required to +## administrate an ftp environment. ## ## ## @@ -163,7 +165,7 @@ interface(`ftp_dyntrans_sftpd',` ## ## ## -## The role to be allowed to manage the ftp domain. +## Role allowed access. ## ## ## @@ -171,26 +173,23 @@ interface(`ftp_dyntrans_sftpd',` interface(`ftp_admin',` gen_require(` type ftpd_t, ftpdctl_t, ftpd_tmp_t; - type ftpd_etc_t, ftpd_lock_t; - type ftpd_var_run_t, xferlog_t; - type ftpd_initrc_exec_t; + type ftpd_etc_t, ftpd_lock_t, sftpd_t; + type ftpd_var_run_t, xferlog_t, anon_sftpd_t; + type ftpd_initrc_exec_t, ftpdctl_tmp_t; ') - allow $1 ftpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ftpd_t) + allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; + ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) init_labeled_script_domtrans($1, ftpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ftpd_initrc_exec_t system_r; allow $2 system_r; - ps_process_pattern($1, ftpdctl_t) - ftp_run_ftpdctl($1, $2) - miscfiles_manage_public_files($1) files_list_tmp($1) - admin_pattern($1, ftpd_tmp_t) + admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t }) files_list_etc($1) admin_pattern($1, ftpd_etc_t) @@ -203,4 +202,6 @@ interface(`ftp_admin',` logging_list_logs($1) admin_pattern($1, xferlog_t) + + ftp_run_ftpdctl($1, $2) ') diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te index 80026bb..e50f33c 100644 --- a/policy/modules/contrib/ftp.te +++ b/policy/modules/contrib/ftp.te @@ -1,4 +1,4 @@ -policy_module(ftp, 1.14.0) +policy_module(ftp, 1.14.1) ######################################## # @@ -6,70 +6,109 @@ policy_module(ftp, 1.14.0) # ## -##

-## Allow ftp servers to upload files, used for public file -## transfer services. Directories must be labeled -## public_content_rw_t. -##

+##

+## Determine whether ftpd can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +##

## gen_tunable(allow_ftpd_anon_write, false) ## -##

-## Allow ftp servers to login to local users and -## read/write all files on the system, governed by DAC. -##

+##

+## Determine whether ftpd can login to +## local users and can read and write +## all files on the system, governed by DAC. +##

## gen_tunable(allow_ftpd_full_access, false) ## -##

-## Allow ftp servers to use cifs -## used for public file transfer services. -##

+##

+## Determine whether ftpd can use CIFS +## used for public file transfer services. +##

## gen_tunable(allow_ftpd_use_cifs, false) ## -##

-## Allow ftp servers to use nfs -## used for public file transfer services. -##

+##

+## Determine whether ftpd can use NFS +## used for public file transfer services. +##

## gen_tunable(allow_ftpd_use_nfs, false) ## -##

-## Allow ftp to read and write files in the user home directories -##

+##

+## Determine whether ftpd can connect to +## databases over the TCP network. +##

+## +gen_tunable(ftpd_connect_db, false) + +## +##

+## Determine whether ftpd can bind to all +## unreserved ports for passive mode. +##

+## +gen_tunable(ftpd_use_passive_mode, false) + +## +##

+## Determine whether ftpd can connect to +## all unreserved ports. +##

+## +gen_tunable(ftpd_connect_all_unreserved, false) + +## +##

+## Determine whether ftpd can read and write +## files in user home directories. +##

## gen_tunable(ftp_home_dir, false) ## -##

-## Allow anon internal-sftp to upload files, used for -## public file transfer services. Directories must be labeled -## public_content_rw_t. -##

+##

+## Determine whether sftpd can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +##

## gen_tunable(sftpd_anon_write, false) ## -##

-## Allow sftp-internal to read and write files -## in the user home directories -##

+##

+## Determine whether sftpd-can read and write +## files in user home directories. +##

## gen_tunable(sftpd_enable_homedirs, false) ## -##

-## Allow sftp-internal to login to local users and -## read/write all files on the system, governed by DAC. -##

+##

+## Determine whether sftpd-can login to +## local users and read and write all +## files on the system, governed by DAC. +##

## gen_tunable(sftpd_full_access, false) +## +##

+## Determine whether sftpd can read and write +## files in user ssh home directories. +##

+## +gen_tunable(sftpd_write_ssh_home, false) + +attribute_role ftpdctl_roles; + type anon_sftpd_t; typealias anon_sftpd_t alias sftpd_anon_t; domain_type(anon_sftpd_t) @@ -100,6 +139,7 @@ files_pid_file(ftpd_var_run_t) type ftpdctl_t; type ftpdctl_exec_t; init_system_domain(ftpdctl_t, ftpdctl_exec_t) +role ftpdctl_roles types ftpdctl_t; type ftpdctl_tmp_t; files_tmp_file(ftpdctl_tmp_t) @@ -115,32 +155,22 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) ') -######################################## -# -# anon-sftp local policy -# - -files_read_etc_files(anon_sftpd_t) - -miscfiles_read_public_files(anon_sftpd_t) - -tunable_policy(`sftpd_anon_write',` - miscfiles_manage_public_files(anon_sftpd_t) +ifdef(`enable_mls',` + init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) ') ######################################## # -# ftpd local policy +# Local policy # -allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; +allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; -allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow ftpd_t self:unix_stream_socket create_stream_socket_perms; -allow ftpd_t self:tcp_socket create_stream_socket_perms; -allow ftpd_t self:udp_socket create_socket_perms; +allow ftpd_t self:unix_dgram_socket sendto; +allow ftpd_t self:unix_stream_socket { accept listen }; +allow ftpd_t self:tcp_socket { accept listen }; allow ftpd_t self:shm create_shm_perms; allow ftpd_t self:key manage_key_perms; @@ -149,10 +179,6 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) -manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) - manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) @@ -163,16 +189,14 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) +files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) -# proftpd requires the client side to bind a socket so that -# it can stat the socket to perform access control decisions, -# since getsockopt with SO_PEERCRED is not available on all -# proftpd-supported OSs -allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; +allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; -# Create and modify /var/log/xferlog. -manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) +allow ftpd_t xferlog_t:dir setattr_dir_perms; +append_files_pattern(ftpd_t, xferlog_t, xferlog_t) +create_files_pattern(ftpd_t, xferlog_t, xferlog_t) +setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t) logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) @@ -193,17 +217,15 @@ corenet_udp_sendrecv_generic_node(ftpd_t) corenet_tcp_sendrecv_all_ports(ftpd_t) corenet_udp_sendrecv_all_ports(ftpd_t) corenet_tcp_bind_generic_node(ftpd_t) + +corenet_sendrecv_ftp_server_packets(ftpd_t) corenet_tcp_bind_ftp_port(ftpd_t) + +corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) -corenet_tcp_bind_generic_port(ftpd_t) -corenet_tcp_bind_all_unreserved_ports(ftpd_t) -corenet_dontaudit_tcp_bind_all_ports(ftpd_t) -corenet_tcp_connect_all_ports(ftpd_t) -corenet_sendrecv_ftp_server_packets(ftpd_t) domain_use_interactive_fds(ftpd_t) -files_search_etc(ftpd_t) files_read_etc_files(ftpd_t) files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) @@ -212,13 +234,10 @@ fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) fs_search_fusefs(ftpd_t) -auth_use_nsswitch(ftpd_t) -auth_domtrans_chk_passwd(ftpd_t) -# Append to /var/log/wtmp. -auth_append_login_records(ftpd_t) -#kerberized ftp requires the following +auth_use_pam(ftpd_t) auth_write_login_records(ftpd_t) auth_rw_faillog(ftpd_t) +auth_manage_var_auth(ftpd_t) init_rw_utmp(ftpd_t) @@ -231,7 +250,6 @@ miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -sysnet_read_config(ftpd_t) sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) @@ -264,26 +282,52 @@ tunable_policy(`allow_ftpd_full_access',` files_manage_non_auth_files(ftpd_t) ') +tunable_policy(`ftpd_use_passive_mode',` + corenet_sendrecv_all_server_packets(ftpd_t) + corenet_tcp_bind_all_unreserved_ports(ftpd_t) +') + +tunable_policy(`ftpd_connect_all_unreserved',` + corenet_sendrecv_all_client_packets(ftpd_t) + corenet_tcp_connect_all_unreserved_ports(ftpd_t) +') + +tunable_policy(`ftpd_connect_db',` + corenet_sendrecv_gds_db_client_packets(ftpd_t) + corenet_tcp_connect_gds_db_port(ftpd_t) + corenet_tcp_sendrecv_gds_db_port(ftpd_t) + corenet_sendrecv_mssql_client_packets(ftpd_t) + corenet_tcp_connect_mssql_port(ftpd_t) + corenet_tcp_sendrecv_mssql_port(ftpd_t) + corenet_sendrecv_oracledb_client_packets(ftpd_t) + corenet_tcp_connect_oracledb_port(ftpd_t) + corenet_tcp_sendrecv_oracledb_port(ftpd_t) +') + tunable_policy(`ftp_home_dir',` allow ftpd_t self:capability { dac_override dac_read_search }; - # allow access to /home - files_list_home(ftpd_t) - userdom_read_user_home_content_files(ftpd_t) userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_files(ftpd_t) - userdom_manage_user_home_content_symlinks(ftpd_t) - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) + userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) + userdom_manage_user_tmp_dirs(ftpd_t) + userdom_manage_user_tmp_files(ftpd_t) + userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) +',` + userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) + userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` + fs_manage_nfs_dirs(ftpd_t) fs_manage_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) + fs_manage_nfs_symlinks(ftpd_t) ') tunable_policy(`ftp_home_dir && use_samba_home_dirs',` + fs_manage_cifs_dirs(ftpd_t) fs_manage_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) + fs_manage_cifs_symlinks(ftpd_t) ') optional_policy(` @@ -309,10 +353,30 @@ optional_policy(` ') optional_policy(` + fail2ban_read_lib_files(ftpd_t) +') + +optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) - kerberos_manage_host_rcache(ftpd_t) + kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") +') + +optional_policy(` + mysql_stream_connect(ftpd_t) + + tunable_policy(`ftpd_connect_db',` + mysql_tcp_connect(ftpd_t) + ') +') + +optional_policy(` + postgresql_stream_connect(ftpd_t) + + tunable_policy(`ftpd_connect_db',` + postgresql_tcp_connect(ftpd_t) + ') ') optional_policy(` @@ -342,41 +406,54 @@ optional_policy(` ######################################## # -# ftpdctl local policy +# Ctl local policy # -# Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) -# ftpdctl creates a socket so that the daemon can perform -# access control decisions (see comments in ftpd_t rules above) -allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; +allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) -# Allow ftpdctl to read config files files_read_etc_files(ftpdctl_t) +files_search_pids(ftpdctl_t) userdom_use_user_terminals(ftpdctl_t) ######################################## # -# sftpd local policy +# Anon sftpd local policy +# + +files_read_etc_files(anon_sftpd_t) + +miscfiles_read_public_files(anon_sftpd_t) + +tunable_policy(`sftpd_anon_write',` + miscfiles_manage_public_files(anon_sftpd_t) +') + +######################################## +# +# Sftpd local policy # files_read_etc_files(sftpd_t) -# allow read access to /home by default userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) tunable_policy(`sftpd_enable_homedirs',` allow sftpd_t self:capability { dac_override dac_read_search }; - # allow access to /home - files_list_home(sftpd_t) - userdom_manage_user_home_content_files(sftpd_t) userdom_manage_user_home_content_dirs(sftpd_t) + userdom_manage_user_home_content_files(sftpd_t) userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_manage_user_tmp_dirs(sftpd_t) + userdom_manage_user_tmp_files(sftpd_t) + userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) +',` + userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` @@ -391,21 +468,27 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` fs_manage_cifs_symlinks(sftpd_t) ') +tunable_policy(`sftpd_anon_write',` + miscfiles_manage_public_files(sftpd_t) +') + tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) files_manage_non_auth_files(sftpd_t) ') +tunable_policy(`sftpd_write_ssh_home',` + ssh_manage_home_files(sftpd_t) +') + tunable_policy(`use_samba_home_dirs',` - # allow read access to /home by default fs_list_cifs(sftpd_t) fs_read_cifs_files(sftpd_t) fs_read_cifs_symlinks(sftpd_t) ') tunable_policy(`use_nfs_home_dirs',` - # allow read access to /home by default fs_list_nfs(sftpd_t) fs_read_nfs_files(sftpd_t) fs_read_nfs_symlinks(ftpd_t)