Add SELinux protection to Pure-FTPd

Aurelien Bompard gauret at free.fr
Fri Apr 14 14:47:24 UTC 2006 

Stephen Smalley wrote:
> policy_module(pureftpd, 1.0) is preferred syntax going forward.
> If you use policy_module() macro, you'll get the kernel class and
> permission requires as part of it, so you won't need to explicitly
> specify them each time.

Yay ! Done that.

> Does it truly need write access?  The library always tries to open rw
> first, then falls back to read-only if it cannot open rw, so even just
> reading utmp will show up in avc messages as a rw attempt.   Try just
> allowing read, and dontaudit'ing the write permission.

That's right, it only needs read access. I've added:
init_read_utmp(ftpd_t)
init_dontaudit_write_utmp(ftpd_t)
to the module (picked from the policy sources)
 
> Macros aka interfaces are preferred, as they preserve
> modularity/encapsulation and thus make your module more portable to
> other base policies.

OK. I'll use sysnet_use_ldap to allow LDAP access then.

> I don't think you want to put it in /usr/share/selinux/targeted (as that
> could conflict in the future with the policy package), but I would
> suggest putting it under /usr/share/selinux/<packagename> or similar to
> keep all policy modules under that selinux tree, unless that also
> presents some kind of conflict problem?

Looks good to me, except I've placed it
in /usr/share/selinux/packages/<packagename> to avoid the base and targeted
dirs being buried under a ton of packages dirs in the future.

It's taking shape, but I have another problem. I run
  semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp
in the %post scriptlet to load the module, and I get this error:

libsemanage.semanage_commit_sandbox: Could not remove previous
backup /etc/selinux/targeted/modules/previous.
semodule:  Failed!

With this AVC in audit.log :

type=AVC msg=audit(1145025496.481:18267): avc:  denied  { rmdir } for 
pid=28069 comm="semodule" name="modules" dev=sda2 ino=1249868
scontext=user_u:system_r:semanage_t:s0
tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir

And the module is not loaded.
Calling semodule outside the RPM scriptlet works fine.

Any idea ? Should I use another command ?


Thanks,

Aurélien
-- 
http://aurelien.bompard.org  ~~~~  Jabber : abompard at jabber.fr
L'expérience est quelquechose que l'on acquiert
juste après en avoir eu besoin.

More information about the selinux mailing list