From 074fd22d01ca3ba8c6a4d00c25ae8b02dc6170f1 Mon Sep 17 00:00:00 2001
From: Aurelien Bompard <abompard@fedoraproject.org>
Date: May 14 2006 17:35:26 +0000
Subject: - add SELinux support

- prevent the init script from displaying the config on startup

---

diff --git a/pure-ftpd.README.SELinux b/pure-ftpd.README.SELinux
new file mode 100644
index 0000000..fc9d98c
--- /dev/null
+++ b/pure-ftpd.README.SELinux
@@ -0,0 +1,30 @@
+=============================
+SELinux support for Pure-FTPd
+=============================
+
+With this package, Pure-FTPd is now protected in the same way VSFTPd and
+ProFTPd are in Fedora.
+
+Read Access
+-----------
+To allow files to be accessed by Pure-FTPd, you need either :
+- to place them in /var/ftp
+- to label them with the public_content_t. To do that, you can use::
+    chcon -t public_content_t file_to_publish
+
+Write Access
+------------
+If you wish to grant write access, you have to use the public_content_rw_t
+type, for example with this command::
+    chcon -t public_content_rw_t file_to_publish
+and you have to turn on the allow_ftpd_anon_write boolean using 
+system-config-securitylevel, or using the following command::
+    setsebool -P allow_ftpd_anon_write 1
+
+Access to home directories
+--------------------------
+If you want to publish files in a user's home directory, you have to turn
+on the ftp_home_dir boolean, using system-config-securitylevel, or using
+the following command::
+    setsebool -P ftp_home_dir 1
+
diff --git a/pure-ftpd.init b/pure-ftpd.init
index b568876..b057da9 100644
--- a/pure-ftpd.init
+++ b/pure-ftpd.init
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Startup script for the pure-ftpd FTP Server  $Revision: 1.3 $
+# Startup script for the pure-ftpd FTP Server  $Revision: 1.4 $
 #
 # chkconfig: - 85 15
 # description: Pure-FTPd is an FTP server daemon based upon Troll-FTPd
@@ -30,7 +30,7 @@ pure_launch_script=/usr/sbin/pure-config.pl
 
 start() {
 	echo -n $"Starting $prog: "
-	daemon $pure_launch_script $pure_config  --daemonize
+	daemon "$pure_launch_script $pure_config --daemonize > /dev/null"
 	RETVAL=$?
 	[ $RETVAL = 0 ] && touch /var/lock/subsys/pure-ftpd
 	echo
diff --git a/pure-ftpd.pureftpd.te b/pure-ftpd.pureftpd.te
new file mode 100644
index 0000000..76b9e70
--- /dev/null
+++ b/pure-ftpd.pureftpd.te
@@ -0,0 +1,25 @@
+policy_module(pureftpd, 1.0)
+
+require {
+	type ftpd_t;
+};
+
+# Read /var/run/utmp
+init_read_utmp(ftpd_t)
+init_dontaudit_write_utmp(ftpd_t)
+
+### Allow connect to mysql
+# Network connect
+corenet_tcp_connect_mysqld_port(ftpd_t)
+# Socket file connect
+mysql_stream_connect(ftpd_t);
+mysql_rw_db_sockets(ftpd_t)
+
+### Allow connect to postgresql
+# Network connect
+corenet_tcp_connect_postgresql_port(ftpd_t)
+# Socket file connect
+postgresql_stream_connect(ftpd_t)
+
+# Allow connect to ldap
+sysnet_use_ldap(ftpd_t)
diff --git a/pure-ftpd.spec b/pure-ftpd.spec
index 18d2cef..cf2f9e6 100644
--- a/pure-ftpd.spec
+++ b/pure-ftpd.spec
@@ -1,6 +1,6 @@
 Name:       pure-ftpd
 Version:    1.0.21
-Release:    3%{?dist}
+Release:    4%{?dist}
 Summary:    Lightweight, fast and secure FTP server
 
 Group:      System Environment/Daemons
@@ -12,6 +12,8 @@ Source2:    pure-ftpd.logrotate
 Source3:    pure-ftpd.xinetd
 Source4:    pure-ftpd.pure-ftpwho.pam
 Source5:    pure-ftpd.pure-ftpwho.consoleapp
+Source6:    pure-ftpd.README.SELinux
+Source7:    pure-ftpd.pureftpd.te
 Patch0:     pure-ftpd-1.0.21-config.patch
 Patch1:     pure-ftpd-1.0.20-libdir.patch
 Provides:   ftpserver
@@ -21,6 +23,7 @@ BuildRequires:  pam-devel, perl, python, libcap-devel
 %{!?_without_mysql:BuildRequires: mysql-devel}
 %{!?_without_pgsql:BuildRequires: postgresql-devel}
 %{!?_without_tls:BuildRequires: openssl-devel}
+BuildRequires: selinux-policy
 
 Requires(post):   chkconfig
 Requires(preun):  chkconfig, initscripts
@@ -45,10 +48,28 @@ Rebuild switches:
 --without tls      disable SSL/TLS
 
 
+%package    selinux
+Summary:    SELinux support for Pure-FTPD
+Group:      System Environment/Daemons
+Requires:   %{name} = %{version}
+Requires(post): policycoreutils, initscripts, %{name}
+Requires(preun): policycoreutils, initscripts, %{name}
+Requires(postun): policycoreutils
+
+%description selinux
+This package adds SELinux enforcement to Pure-FTPD. Install it if you want
+Pure-FTPd to be protected in the same way other FTP servers are in Fedora
+(e.g. VSFTPd and ProFTPd)
+
+
+
 %prep
 %setup -q
 %patch0 -p0 -b .config
 %patch1 -p0 -b .libdir
+cp -p %{SOURCE6} README.SELinux
+mkdir selinux
+cp -p %{SOURCE7} selinux/pureftpd.te
 
 
 %build
@@ -83,6 +104,7 @@ Rebuild switches:
 
 make %{?_smp_mflags}
 
+
 %install
 rm -rf $RPM_BUILD_ROOT
 
@@ -135,13 +157,22 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/pure-ftpwho
 install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/security/console.apps/pure-ftpwho
 ln -s consolehelper $RPM_BUILD_ROOT%{_bindir}/pure-ftpwho
 
+# SELinux support
+cd selinux
+echo "%{_sbindir}/pure-ftpd    system_u:object_r:ftpd_exec_t:s0" > pureftpd.fc
+echo '%{_localstatedir}/log/pureftpd.log    system_u:object_r:xferlog_t:s0' >> pureftpd.fc
+touch pureftpd.if
+make -f %{_datadir}/selinux/devel/Makefile
+install -p -m 644 -D pureftpd.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/pureftpd.pp
+
+
 
 %clean
 rm -rf $RPM_BUILD_ROOT
 
 
 %post
-if [ "$1" -le "1" ]; then 
+if [ "$1" -le "1" ]; then # fist install
     /sbin/chkconfig --add pure-ftpd
 fi
 
@@ -151,12 +182,35 @@ if [ "$1" -lt "1" ]; then
     /sbin/chkconfig --del pure-ftpd
 fi
 
-%postun 
+%postun
 if [ "$1" -ge "1" ]; then 
     /sbin/service pure-ftpd condrestart > /dev/null 2>&1 
 fi
 
 
+%post selinux
+if [ "$1" -le "1" ]; then # Fist install
+    semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp 2>/dev/null || :
+    fixfiles -R pure-ftpd restore
+    /sbin/service pure-ftpd condrestart > /dev/null 2>&1 
+fi
+
+%preun selinux
+if [ "$1" -lt "1" ]; then # Final removal
+    semodule -r pureftpd 2>/dev/null || :
+    fixfiles -R pure-ftpd restore
+    /sbin/service pure-ftpd condrestart > /dev/null 2>&1 
+fi
+
+%postun selinux
+if [ "$1" -ge "1" ]; then # Upgrade
+    # Replaces the module if it is already loaded
+    semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp 2>/dev/null || :
+    # no need to restart the daemon
+fi
+
+
+
 %files
 %defattr(-, root, root, -)
 %doc FAQ THANKS README.Authentication-Modules README.Virtual-Users README
@@ -177,7 +231,17 @@ fi
 %dir /var/ftp/
 
 
+%files selinux
+%defattr(-, root, root, -)
+%doc README.SELinux
+%{_datadir}/selinux/packages/%{name}/pureftpd.pp
+
+
 %changelog
+* Sun May 14 2006 Aurelien Bompard <gauret[AT]free.fr> 1.0.21-4
+- add SELinux support
+- prevent the init script from displaying the config on startup
+
 * Sun Apr 09 2006 Aurelien Bompard <gauret[AT]free.fr> 1.0.21-3
 - fix mysql socket location (bug 188426)