How do I confine a compiled pure-ftpd daemon with SELinux
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How do I confine a compiled pure-ftpd daemon with SELinux
I compiled the latest version of pure-ftpd with LDAP and SSL support. Works fine. I'd like to confine the process using SELinux but having a hard time. OS: Centos 5 updated to 5.2 I guess is the latest.
Pure-ftpd runs as root. I've found some rpms out there that have a pureftpd.pp policy file and installed the policy (semodule -i pureftpd.pp), but something is not running correctly. I don't get any error messages in audit.log and when I do a ps -ZC pure-ftpd it shows:
[root@ftp2 ~]# ps -ZC pure-ftpd
LABEL PID TTY TIME CMD
root:system_r:unconfined_t:SystemLow-SystemHigh 4122 ? 00:00:00 pure-ftpd
I don't think the policy file or the context that the process is running as is correct. I have used audit2allow to modify some local policies but this seems to not have the right context so I don't get error messages.
How do I confine a compiled pure-ftpd daemon with SELinux
Yes it work fine with SELinux disabled. It also works fine with SELinux enabled. I think the problems is the policy matches an rpm version (that's where I got the pureftpd.pp) and the version of pureftpd that I'm using is a compiled version -> 1.0.21.
Here's my configure options:
The pureftpd.pp (which RPM exactly?) is a "binary module" for SE Linux. It may or may not work. You could try building a policy yourself: install "selinux-policy-devel" and from that follow instructions running 'policygentool appname /path/to/binary'.
I didn't realize there was an rpm out there, same version as the compiled version I'm using:
pure-ftpd-1.0.21-15.el5.i386.rpm
pure-ftpd-selinux-1.0.21-15.el5.i386.rpm
I dumped my compiled version, which is the same version as above.
Works with LDAP, SSL.
I still had to tweek the policies using audit2allow and setsebool (ftp_home_dir --> on) to get auto create home directory to work, but everything is working fine now.
I did get the selinux-policy-devel package. I have some other servers with daemons that are not confined by SELinux. I will try to make policy packages with the development tools.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.