Add SELinux protection to Pure-FTPd
Aurelien Bompard
gauret at free.fr
Fri Apr 14 13:00:05 UTC 2006
Hi,
I'm trying to add SELinux protection to Pure-FTPd. It's an FTP server, so
labelling the binary to ftpd_t did 99% of the job ! Well done SELinux
devs !
But this server has additional features, like the possibility to get its
user list from MySQL, PostgreSQL or LDAP. So I've written this te file :
==========================
module pureftpd 1.0;
require {
class dir { getattr search };
class file { read write };
class tcp_socket name_connect;
class sock_file { getattr read write append ioctl lock };
class unix_stream_socket { read write connectto };
type ftpd_t;
type initrc_var_run_t;
type mysqld_port_t;
type ldap_port_t;
};
# Write to /var/run/utmp
allow ftpd_t initrc_var_run_t:file { read write };
### Allow connect to mysql
# Network connect
corenet_tcp_connect_mysqld_port(ftpd_t)
# Socket file connect
mysql_stream_connect(ftpd_t);
mysql_rw_db_sockets(ftpd_t)
### Allow connect to postgresql
# Network connect
corenet_tcp_connect_postgresql_port(ftpd_t)
# Socket file connect
postgresql_stream_connect(ftpd_t)
# Allow connect to ldap
allow ftpd_t ldap_port_t:tcp_socket name_connect;
==========================
I figured that out mainly by reading the policy source (mainly apache's),
and with the help of the wiki :
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow explains
how to let SpamAssassin connect to LDAP.
I have a few questions:
- Does this look OK to you ?
- Is it better to use the macros ( like mysql_stream_connect(ftpd_t)) or to
write the policies explicitely (allow ftpd_t mysqld_port_t:tcp_socket
name_connect) ?
- The apache policy source used the sysnet_use_ldap macro to let it access
LDAP. It looks like it does much more and requires much more than the
simple allow tcp_socket name_connect. Yet, this is the one advertised in
the wiki. Which solution should I choose ?
- I'll build the module in %install and load it in %post. Any preferred
place for the .pp file ? /usr/share/pure-ftpd is OK, or would it be better
to put it in /usr/share/selinux/targeted ?
When this is verified, I'll add it to the wiki page
(http://fedoraproject.org/wiki/Packaging/SELinux).
Thanks a lot for your help !
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr
For external use only
More information about the selinux
mailing list