VSFTPD and SELinux on CentOS

There are 5 SELinux directives that correspond to VSFTPD and offer protection.  These must be evaluated closely if you are using SELinux so that you do not produce errors.
allow_ftpd_anon_write –> permits the writing of files to directories configured with the public_content_rw_t setting.
allow_ftpd_use_cifs –> permits the use of files that are shared via CIFS
allow_ftpd_use_nfs –> permits the use of files that are shared via NFS
ftp_is_daemon  –> required for the standalone daemon
ftp_home_directory –> permits read and write access to user home directories

If you want to activate these files use the setsebool command to turn on or off the settings.  Use the -P option if you want to have the changes remain permanent after booting.  Without the -P option the changes are temporary.  Here is an example turning an option on permanently.

setsebool -P allow_ftpd_use_nfs 1

If you create a file called “file” in the /var/ftp/pub directory you will see this when you review the SELinux settings with the -Z option.
# ls -Z /var/ftp/pub
-rw-r–r–  root root system_u:object_r:public_content_t file

As you can see the root user created this file.  Then you see three elements related to SELinux.  system_u is used because this is a default setting for the system.
system_u:

The system object shows the context for the role.
object_r

The type describes the nature of the data.  In this case this is public read only data by default.
public_content_t
If you wanted to allow users to write to the pub directory you would need to change the context.  You could do that with the chcon command.
chcon -R -u ser_u -t public_content_rw_t  /var/pub
The default settings for the ftp directory are set in the file  /etc/selinux/targeted/contexts/files/file_contexts .  Be very careful in making changes in this file.  Here is the listing for ftp.
/var/ftp(/.*)?  system_u:object_r:public_content_t:s0

Tagged as: ftp and selinux, ftp security, selinux, vsftpd, vsftpd security, vsftpd selinux