proftpd and ftpdctl

Paul Howarth paul at city-fan.org
Tue Jun 6 12:16:08 UTC 2006 

The recent update of proftpd in Extras to 1.3.0 has introduced a new 
feature, an "ftpdctl" program allowing some run-time control of the FTP 
daemon, somewhat akin to rndc with named. This needs new policy. Below 
is what's working for me:

===== proftpd.if =====
## <summary>FTP Daemon Control Program.</summary>

########################################
## <summary>
##      Execute the ftpdctl program in the ftpdctl domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`ftpdctl_domtrans',`
         gen_require(`
                 type ftpdctl_t, ftpdctl_exec_t;
         ')

         corecmd_search_bin($1)
         domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)

         allow $1 ftpdctl_t:fd use;
         allow ftpdctl_t $1:fd use;
         allow ftpdctl_t $1:fifo_file rw_file_perms;
         allow ftpdctl_t $1:process sigchld;
')

===== proftpd.fc =====
/usr/bin/ftpdctl        -- 
gen_context(system_u:object_r:ftpdctl_exec_t,s0)

===== proftpd.te =====
policy_module(proftpd, 0.4.0)

########################################
#
# Declarations
#

require {
         type ftpd_t;
         type ftpd_var_run_t;
         type xferlog_t;
};

# run ftpdctl in its own domain
type ftpdctl_t;
type ftpdctl_exec_t;
init_system_domain(ftpdctl_t,ftpdctl_exec_t)
role system_r types ftpdctl_t;

# ftpdctl control sockets have their own domain
# When ftpdctl is run, it creates a socket in /tmp and then binds it
# to the control socket for the running proftpd server, usually at
# /var/run/proftpd/proftpd.sock
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)

########################################
#
# Local policy
#

# Temporary sockets created by ftpdctl are ftpdctl_tmp_t
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, { sock_file })

# Fixed in selinux-policy 2.2.29-6
#allow ftpd_t xferlog_t:dir { getattr search };

# Allow proftpd to read the routing table
allow ftpd_t self:netlink_route_socket { r_netlink_socket_perms };

# Allow proftpd to create and use a control socket 
(/var/run/proftpd/proftpd.sock)
allow ftpd_t self:unix_stream_socket listen;
allow ftpd_t ftpd_var_run_t:sock_file { create setattr unlink };

# Allow proftpd to remove temporary communications sockets created by 
ftpdctl
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };

# Transition to ftpdctl_t from unconfined_t
ftpdctl_domtrans(unconfined_t)
libs_use_ld_so(ftpdctl_t)
libs_use_shared_libs(ftpdctl_t)
term_use_generic_ptys(ftpdctl_t)

# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)

# Allow ftpdctl to create and use temporary sockets
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };

# Allow ftpdctl to talk to ftpd over a socket connection
allow ftpdctl_t ftpd_t:unix_stream_socket connectto;
allow ftpdctl_t ftpd_var_run_t:dir search;
allow ftpdctl_t ftpd_var_run_t:sock_file write;

Paul.

More information about the fedora-selinux-list mailing list