VSFTPD and SELinux on CentOS

by Mike on November 14, 2008 · 1 comment

in FTP Server, Uncategorized

There are 5 SELinux directives that correspond to VSFTPD and offer protection.  These must be evaluated closely if you are using SELinux so that you do not produce errors.
allow_ftpd_anon_write –> permits the writing of files to directories configured with the public_content_rw_t setting.
allow_ftpd_use_cifs –> permits the use of files that are shared via CIFS
allow_ftpd_use_nfs –> permits the use of files that are shared via NFS
ftp_is_daemon  –> required for the standalone daemon
ftp_home_directory –> permits read and write access to user home directories

If you want to activate these files use the setsebool command to turn on or off the settings.  Use the -P option if you want to have the changes remain permanent after booting.  Without the -P option the changes are temporary.  Here is an example turning an option on permanently.

setsebool -P allow_ftpd_use_nfs 1

If you create a file called “file” in the /var/ftp/pub directory you will see this when you review the SELinux settings with the -Z option.
# ls -Z /var/ftp/pub
-rw-r–r–  root root system_u:object_r:public_content_t file

As you can see the root user created this file.  Then you see three elements related to SELinux.  system_u is used because this is a default setting for the system.

The system object shows the context for the role.

The type describes the nature of the data.  In this case this is public read only data by default.
If you wanted to allow users to write to the pub directory you would need to change the context.  You could do that with the chcon command.
chcon -R -u ser_u -t public_content_rw_t  /var/pub
The default settings for the ftp directory are set in the file  /etc/selinux/targeted/contexts/files/file_contexts .  Be very careful in making changes in this file.  Here is the listing for ftp.
/var/ftp(/.*)?  system_u:object_r:public_content_t:s0

{ 1 comment }

Ian May 28, 2010 at 2:47 pm

I upgraded from Centos 5.2 to 5.4. I found that vsftp would not allow anonymous logins to upload to my /var/ftp/pub dir. I tried the chcon suggested but get the following result:

[root@ppp1 pub]# chcon -R -u ser_u -t public_content_rw_t /var/ftp/pub
chcon: failed to change context of /var/ftp/pub to ser_u:object_r:public_content_rw_t: Invalid argument
[root@ppp1 pub]#

Any help or comments appreciated

Previous post:

Next post: