FTP: SELinux

VSFTPD and SELinux
As security issues continue to rise, new strategies for security are imperative. This is most often true with servers and networked computers because of the implications for down servers and non-functioning workstations.   SELinux or Security Enhanced Linux was developed by the US National Security Agency to address the increased need for security on servers and managing the daemons that exist on the server.  SELinux integrates the security architecture into the kernel using Linux Security Modules (LSM).

Lesson 6 / Lesson 8

Now there are a number of  SELinux directives that correspond to VSFTPD.  You may view all directives with this command:

getsebool -a | grep ftpd

allow_ftpd_anon_write --> permits the writing of files to directories configured with the public_content_rw_t setting.
allow_ftpd_use_cifs --> permits the use of files that are shared via CIFS
allow_ftpd_use_nfs --> permits the use of files that are shared via NFS
ftp_is_daemon  --> required for the standalone daemon
ftp_home_directory --> permits read and write access to user home directories

If you want to activate these files sue the setsebool command to turn on or off the settings.  Use the -P option if you want to have the changes remain permanent after booting.  Without the -P option the changes are temporary.  Here is an example turning an option on permanently.

setsebool -P allow_ftpd_use_nfs 1


If you create a file called “file” in the /var/ftp/pub directory you will see this when you review the SELinux settings with the -Z option.
# ls -Z /var/ftp/pub
-rw-r--r--  root root system_u:object_r:public_content_t file

As you can see the root user created this file.  Then you see three elements related to SELinux.  system_u is used because this is a default setting for the system.  
system_u:

The system object shows the context for the role.
object_r

The type describes the nature of the data.  In this case this is public read only data by default.
public_content_t

If you wanted to allow users to write to the pub directory you would need to change the context.  You could do that with the chcon command.
chcon -R -user_u -t public_content_rw_t  /var/pub

The default settings for the ftp directory are set in the file  /etc/selinux/targeted/contexts/files/file_contexts .  Be very careful in making changes in this file.  Here is the listing for ftp.
/var/ftp(/.*)?  system_u:object_r:public_content_t:s0