Add SELinux protection to Pure-FTPd

Aurelien Bompard gauret at free.fr
Fri Apr 14 13:00:05 UTC 2006 

Hi,

I'm trying to add SELinux protection to Pure-FTPd. It's an FTP server, so
labelling the binary to ftpd_t did 99% of the job ! Well done SELinux
devs !
But this server has additional features, like the possibility to get its
user list from MySQL, PostgreSQL or LDAP. So I've written this te file :

==========================
module pureftpd 1.0;

require {
    class dir { getattr search };
        class file { read write };
        class tcp_socket name_connect;
        class sock_file { getattr read write append ioctl lock };
        class unix_stream_socket { read write connectto };

        type ftpd_t;
        type initrc_var_run_t;
        type mysqld_port_t;
        type ldap_port_t;
};

# Write to /var/run/utmp
allow ftpd_t initrc_var_run_t:file { read write };

### Allow connect to mysql
# Network connect
corenet_tcp_connect_mysqld_port(ftpd_t)
# Socket file connect
mysql_stream_connect(ftpd_t);
mysql_rw_db_sockets(ftpd_t)

### Allow connect to postgresql
# Network connect
corenet_tcp_connect_postgresql_port(ftpd_t)
# Socket file connect
postgresql_stream_connect(ftpd_t)

# Allow connect to ldap
allow ftpd_t ldap_port_t:tcp_socket name_connect;
==========================

I figured that out mainly by reading the policy source (mainly apache's),
and with the help of the wiki :
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow explains
how to let SpamAssassin connect to LDAP.

I have a few questions:
 - Does this look OK to you ?
 - Is it better to use the macros ( like mysql_stream_connect(ftpd_t)) or to
write the policies explicitely (allow ftpd_t mysqld_port_t:tcp_socket
name_connect)  ?
 - The apache policy source used the sysnet_use_ldap macro to let it access
LDAP. It looks like it does much more and requires much more than the
simple allow tcp_socket name_connect. Yet, this is the one advertised in
the wiki. Which solution should I choose ?
 - I'll build the module in %install and load it in %post. Any preferred
place for the .pp file ? /usr/share/pure-ftpd is OK, or would it be better
to put it in /usr/share/selinux/targeted ?


When this is verified, I'll add it to the wiki page
(http://fedoraproject.org/wiki/Packaging/SELinux).


Thanks a lot for your help !


Aurélien
-- 
http://aurelien.bompard.org  ~~~~  Jabber : abompard at jabber.fr
For external use only

More information about the selinux mailing list