Add SELinux protection to Pure-FTPd

Fri Apr 14 14:01:58 UTC 2006

On Fri, 2006-04-14 at 15:00 +0200, Aurelien Bompard wrote:
> module pureftpd 1.0;

policy_module(pureftpd, 1.0) is preferred syntax going forward.

> require {
>     class dir { getattr search };
>         class file { read write };
>         class tcp_socket name_connect;
>         class sock_file { getattr read write append ioctl lock };
>         class unix_stream_socket { read write connectto };

If you use policy_module() macro, you'll get the kernel class and
permission requires as part of it, so you won't need to explicitly
specify them each time.

>         type ftpd_t;
>         type initrc_var_run_t;
>         type mysqld_port_t;
>         type ldap_port_t;
> };
> 
> # Write to /var/run/utmp
> allow ftpd_t initrc_var_run_t:file { read write };

Does it truly need write access?  The library always tries to open rw
first, then falls back to read-only if it cannot open rw, so even just
reading utmp will show up in avc messages as a rw attempt.   Try just
allowing read, and dontaudit'ing the write permission.

> ### Allow connect to mysql
> # Network connect
> corenet_tcp_connect_mysqld_port(ftpd_t)
> # Socket file connect
> mysql_stream_connect(ftpd_t);
> mysql_rw_db_sockets(ftpd_t)
> 
> ### Allow connect to postgresql
> # Network connect
> corenet_tcp_connect_postgresql_port(ftpd_t)
> # Socket file connect
> postgresql_stream_connect(ftpd_t)
> 
> # Allow connect to ldap
> allow ftpd_t ldap_port_t:tcp_socket name_connect;
> ==========================
> 
> I figured that out mainly by reading the policy source (mainly apache's),
> and with the help of the wiki :
> http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow explains
> how to let SpamAssassin connect to LDAP.
> 
> I have a few questions:
>  - Does this look OK to you ?
>  - Is it better to use the macros ( like mysql_stream_connect(ftpd_t)) or to
> write the policies explicitely (allow ftpd_t mysqld_port_t:tcp_socket
> name_connect)  ?

Macros aka interfaces are preferred, as they preserve
modularity/encapsulation and thus make your module more portable to
other base policies.  There are plans to introduce interfaces as direct
constructs in the policy language and module format such that these
interfaces can be expanded at link-time rather than module build time,
which will further improve the portability of your module.

>  - The apache policy source used the sysnet_use_ldap macro to let it access
> LDAP. It looks like it does much more and requires much more than the
> simple allow tcp_socket name_connect. Yet, this is the one advertised in
> the wiki. Which solution should I choose ?
>  - I'll build the module in %install and load it in %post. Any preferred
> place for the .pp file ? /usr/share/pure-ftpd is OK, or would it be better
> to put it in /usr/share/selinux/targeted ?

I don't think you want to put it in /usr/share/selinux/targeted (as that
could conflict in the future with the policy package), but I would
suggest putting it under /usr/share/selinux/<packagename> or similar to
keep all policy modules under that selinux tree, unless that also
presents some kind of conflict problem?

> When this is verified, I'll add it to the wiki page
> (http://fedoraproject.org/wiki/Packaging/SELinux).
> 
> 
> Thanks a lot for your help !
> 
> 
> Aurélien
-- 
Stephen Smalley
National Security Agency