selinux with vsftpd and httpd
 

Hi,

I'm setting up a FedoraCore5 server and I want to give my friends access to their own virtual web sites.

I've configured httpd okay, serving out of their home directories. I want to also give them FTP access so they can upload their content.

I've installed vsftpd and had it working okay with chroot jail to prevent them going outside their home dir. I've also set their shell to /sbin/nologin so they cannot ssh onto the box.

My problem is getting httpd and vsftpd working at the same time.

I've done
setsebool -P ftp_home_dir 1
so that I can make dirs when ftping.

I've done
chcon -R -h -t httpd_sys_content_t /home/myuser/public_html
so that httpd can serve the html content.

I think though that this last step stops me from being able to FTP now. Is there an easy way to give httpd and vsftpd access to the same directory at the same time?

(I don't know much about SELinux)

I am assuming you have only two users on the system. Ones you.
:twocents:
You could just enable "local_enable=YES" in the vsftpd.conf file and set the virtual host directory in the httpd.conf as the home directory of the user.
So whenever the guy logson he goes to /home/us3r/ but cannot login into shell as he has /sbin/nologin.

Thanks for the response, but I have the web server and ftp server set up fine - the web root is the <user home directory>/public_html and the ftp server chroot() jails them to their home.

My problem has been with SELinux and allowing both httpd and ftpd access to the content in the user home at the same time.

I can do it independently. i.e I can get vsftpd working okay, but then when I give httpd access using
chcon -R -h -t httpd_sys_content_t /home/blah/public_html
then vsftpd is denied.

and visa versa.

The only solution I have for now is to disable SELinux for ftpd using
setsebool -P ftpd_disable_trans 1

Then I can get both working at the same time.

Not knowing SELinux I would have thought I could cumulatively add permissions to a directory. That is, permit httpd and then add ftpd so they both had access.

Thanks.

Hello swpr,

You don't need to enable SELinux for your configuration to work. Your configuration will work fine and all the restrictions will get imposed. The FTP default login directory can be set in the vsftpd.conf file and the HTTP login folder can be done as you have configured.

Thanks..

I know I don't *need* SELinux, but I can get them both running one at a time, but not both together - am I not explaining this clearly enough.

I shouldn't have to fully disable SELinux to allow ftpd and httpd access to the same directory should I? It should be real simple to allow both process access to this one directory.

I've seen a lot of comments on the web about how hard SELinux is, and how everyone just seems to turn it off because they can't figure out how to make it play nice, so thats what I'm going to have to do.