There are 5 SELinux directives that correspond to VSFTPD and offer protection. These must be evaluated closely if you are using SELinux so that you do not produce errors.
allow_ftpd_anon_write –> permits the writing of files to directories configured with the public_content_rw_t setting.
allow_ftpd_use_cifs –> permits the use of files that are shared via CIFS
allow_ftpd_use_nfs –> permits the use of files that are shared via NFS
ftp_is_daemon –> required for the standalone daemon
ftp_home_directory –> permits read and write access to user home directories
If you want to activate these files use the setsebool command to turn on or off the settings. Use the -P option if you want to have the changes remain permanent after booting. Without the -P option the changes are temporary. Here is an example turning an option on permanently.
setsebool -P allow_ftpd_use_nfs 1
If you create a file called “file” in the /var/ftp/pub directory you will see this when you review the SELinux settings with the -Z option.
# ls -Z /var/ftp/pub
-rw-r–r– root root system_u:object_r:public_content_t file
As you can see the root user created this file. Then you see three elements related to SELinux. system_u is used because this is a default setting for the system.
system_u:
The system object shows the context for the role.
object_r
The type describes the nature of the data. In this case this is public read only data by default.
public_content_t
If you wanted to allow users to write to the pub directory you would need to change the context. You could do that with the chcon command.
chcon -R -u ser_u -t public_content_rw_t /var/pub
The default settings for the ftp directory are set in the file /etc/selinux/targeted/contexts/files/file_contexts . Be very careful in making changes in this file. Here is the listing for ftp.
/var/ftp(/.*)? system_u:object_r:public_content_t:s0
{ 1 comment }
I upgraded from Centos 5.2 to 5.4. I found that vsftp would not allow anonymous logins to upload to my /var/ftp/pub dir. I tried the chcon suggested but get the following result:
[root@ppp1 pub]# chcon -R -u ser_u -t public_content_rw_t /var/ftp/pub
chcon: failed to change context of /var/ftp/pub to ser_u:object_r:public_content_rw_t: Invalid argument
[root@ppp1 pub]#
Any help or comments appreciated