Add SELinux protection to Pure-FTPd

Fri Apr 28 15:54:27 UTC 2006

Aurelien Bompard wrote:
> Stephen Smalley wrote:
>> policy_module(pureftpd, 1.0) is preferred syntax going forward.
>> If you use policy_module() macro, you'll get the kernel class and
>> permission requires as part of it, so you won't need to explicitly
>> specify them each time.
> 
> Yay ! Done that.
> 
>> Does it truly need write access?  The library always tries to open rw
>> first, then falls back to read-only if it cannot open rw, so even just
>> reading utmp will show up in avc messages as a rw attempt.   Try just
>> allowing read, and dontaudit'ing the write permission.
> 
> That's right, it only needs read access. I've added:
> init_read_utmp(ftpd_t)
> init_dontaudit_write_utmp(ftpd_t)
> to the module (picked from the policy sources)
>  
>> Macros aka interfaces are preferred, as they preserve
>> modularity/encapsulation and thus make your module more portable to
>> other base policies.
> 
> OK. I'll use sysnet_use_ldap to allow LDAP access then.
> 
>> I don't think you want to put it in /usr/share/selinux/targeted (as that
>> could conflict in the future with the policy package), but I would
>> suggest putting it under /usr/share/selinux/<packagename> or similar to
>> keep all policy modules under that selinux tree, unless that also
>> presents some kind of conflict problem?
> 
> Looks good to me, except I've placed it
> in /usr/share/selinux/packages/<packagename> to avoid the base and targeted
> dirs being buried under a ton of packages dirs in the future.

I've been trying to take this sort of approach with a package I'm 
developing. Two issues concern me at the moment:

1. I build the policy module from te/fc/if files during the package's 
"build" script. I get output like this:

+ /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
make: Entering directory 
`/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'
Compiling targeted contagged module
/usr/bin/checkmodule:  loading policy configuration from tmp/contagged.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to 
tmp/contagged.mod
Creating targeted contagged.pp policy package
make: Leaving directory 
`/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'

This suggests to me that the resulting contagged.pp module is specific 
to the targeted policy (which I'm running on the host system), so it 
would presumably not work with other policies. Is that right? So would 
it be better to build and install the policy at package install time 
rather than package build time? Or could there be separate modules for 
each policy? If so, how would they be built?

2. A mock build fails, presumably because mock does not mount /selinux?

+ /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
make: Entering directory `/builddir/build/BUILD/contagged-0.3/SELinux'
/usr/share/selinux/devel/Makefile:14: 
/usr/share/selinux/targeted/include/Makefile: No such file or directory
make: *** No rule to make target 
`/usr/share/selinux/targeted/include/Makefile'.  Stop.
make: Leaving directory `/builddir/build/BUILD/contagged-0.3/SELinux'
error: Bad exit status from /var/tmp/rpm-tmp.42152 (%build)

This also suggests that install-time module building is needed, at least 
for anything intending to go into Fedora Extras, where mock is used for 
the buildsystem. I guess that would present a problem if the admin of 
the system wanted to change to a different policy - the module would 
have to be rebuilt somehow.

Paul.