Add SELinux protection to Pure-FTPd

Aurelien Bompard gauret at
Fri Apr 14 13:00:05 UTC 2006


I'm trying to add SELinux protection to Pure-FTPd. It's an FTP server, so
labelling the binary to ftpd_t did 99% of the job ! Well done SELinux
devs !
But this server has additional features, like the possibility to get its
user list from MySQL, PostgreSQL or LDAP. So I've written this te file :

module pureftpd 1.0;

require {
    class dir { getattr search };
        class file { read write };
        class tcp_socket name_connect;
        class sock_file { getattr read write append ioctl lock };
        class unix_stream_socket { read write connectto };

        type ftpd_t;
        type initrc_var_run_t;
        type mysqld_port_t;
        type ldap_port_t;

# Write to /var/run/utmp
allow ftpd_t initrc_var_run_t:file { read write };

### Allow connect to mysql
# Network connect
# Socket file connect

### Allow connect to postgresql
# Network connect
# Socket file connect

# Allow connect to ldap
allow ftpd_t ldap_port_t:tcp_socket name_connect;

I figured that out mainly by reading the policy source (mainly apache's),
and with the help of the wiki : explains
how to let SpamAssassin connect to LDAP.

I have a few questions:
 - Does this look OK to you ?
 - Is it better to use the macros ( like mysql_stream_connect(ftpd_t)) or to
write the policies explicitely (allow ftpd_t mysqld_port_t:tcp_socket
name_connect)  ?
 - The apache policy source used the sysnet_use_ldap macro to let it access
LDAP. It looks like it does much more and requires much more than the
simple allow tcp_socket name_connect. Yet, this is the one advertised in
the wiki. Which solution should I choose ?
 - I'll build the module in %install and load it in %post. Any preferred
place for the .pp file ? /usr/share/pure-ftpd is OK, or would it be better
to put it in /usr/share/selinux/targeted ?

When this is verified, I'll add it to the wiki page

Thanks a lot for your help !

--  ~~~~  Jabber : abompard at
For external use only

More information about the fedora-selinux-list mailing list