next up previous contents
Next: 8 Specification of simplified Up: 7 Example Previous: 7 Example   Contents

Subsections

7.1 Configuring vsftpd

As an example of configuration of daemon, let's configure vsftpd using simplified policy. In this example, configure Anonymous ftp access.
By default, the domain of vsftpd is initrc_t . initrc_t is a domain for scripts under /etc/rc.d . vsftpd is executed by /etc/rc.d/init.d/vsftpd(the domain is initrc_t) and inherits the domain.
However, this is not secure. Because initrc_t has a lots of access rights(see /etc/selinux/seedit/src/policy/simplified_policy/initrc_t.a ).
In following current directory is /etc/selinux/seedit/src/policy, and permissive mode
login: root
....
# newrole -r sysadm_r
# id -Z
root:sysadm_r:sysadm_t
# cd  /etc/selinux/seedit/src/policy
# setenforce 0
And for detail of syntax, see 8 .

7.1.1 Create domain for vsftpd

Let's give vftpd vsftpd_t domain.
  1. Create configuration file
    Create simplified_policy/vsftpd_t.a .
  2. Configure domain transition
    In simplified_policy/vsftpd_t.a write following.
    # simplified_policy/vsftpd_t.a
    {
    domain vsftpd_t;
    domain_trans initrc_t /usr/sbin/vsftpd;
    }
    

    In line 2, you've defined domain vsftpd_t. In line 3, you've configured domain transition, parent domain is initrc_t, entry point is /usr/sbin/vsftpd.

7.1.2 Test domain transition

When you edit configuration, you must use make command to indicate kernel change of configuration(See 5.3). In this case, type as below.
# make diffrelabel
Usually make diffrelabel is enough.
Restart vsftpd and check the domain of vsftpd.
# /etc/init.d/vsftpd restart
# ps -eZ
...
root:system_r:vsftpd_t          13621 pts/1    00:00:00 vsftpd
...
You can see that the domain of vsftpd is vsftpd_t. Domain transition is successful.

7.1.3 Protect files related to vsftpd

Protect files related to vsftpd
If you want to protect files related to domain, the best way is deny in global. In this case, let's protect /etc/vsftpd and /var/ftp. Add following in simplified_policy global. Note you have to add between { and }.
# In simplifed_policy/global
deny /etc/vsftpd;
deny /var/ftp;
And
# make diffrelabel
As a result, if some domain want to access /etc/vsftpd and /var/ftp, it must be allowed explicitly. e.g: If httpd_t want to read /etc/vsftpd, allow /etc/vsftpd r; must be described in httpd_t, if allow /etc r; is described, access to /etc/vsftpd is not allowed. deny is useful to mark important files.

7.1.4 Give access rights to vsftpd_t

The default access right for vsftpd_t is inherited from simplified_policy/global. It is not enough, you have to add configuration. The best way to know what is necessary is to test vsftpd on permissive mode and see SELinux log(The process is skipped in this document..). Below is a policy for vsftpd_t.
# simplifed_policy/vsftpd_t.a
     1  {
     2  domain vsftpd_t;
     3  domain_trans initrc_t /usr/sbin/vsftpd;
     4  # access to files related to vsftpd
     5  allow /etc/vsftpd r,s;
     6  allow /var/ftp r,s;
     7  allowonly /var/log r,w,s;
     8  # allow to communicate with syslog
     9  allow dev_log_t r,w,s;
    10  allowcom -unix syslogd_t;
    11  # allow to use tcp 20 and 21
    12  allownet;
    13  allownet -connect;
    14  allownet -tcp -port 20;
    15  allownet -tcp -port 21;
    16  #
    17  allowadm chroot;
    18  }
After writing this,
# make diffrelabel
Let's review the file.

7.1.5 Give access rigths to initrc_t

initrc_t is a type for start up script(/etc/init.d/vsftpd). This requires read access to /etc/vsftpd. But access to this file is denied in global, so you have to allow explicitly.
#add to simplified_policy/initrc_t.a
allow /etc/vsftpd r,s;
Then,
# make diffrelabel

7.1.6 Test again

Test in permissive mode and see access log. If no deny is outputted, then test in enforcing mode.


next up previous contents
Next: 8 Specification of simplified Up: 7 Example Previous: 7 Example   Contents
2005-09-01