The purpose for SELinux is to allow only the access that is needed. This goes beyond FTP indeed. But is also important for servers likely to be accessed from the (big bad) internet. For internal servers it is less likely to be hacked (main purpose of SELinux is to prevent access for processes that they do not need to function properly).
You can do a number of things:
- Decide that SELinux is way too secure for an internal server and disable it.. no hassle anymore, you remain with a standard Linux server most people can work with.
- Relocate /var/www to a location where ftp can have access to by default.
- Create a different context for the /var/www location where ftp can have access to.
- Possibly the easiest: allow ftp to access outside its own context.
Rebooting isn't necessary, as you can turn SELinux in permissive mode indeed.. It only creates a lot of SVC errors in /var/log/audit/audit.log (as it logs what would have been denied by SELinux, while when Disabled, it wouldn't log at all). For long term, either of the solutions above would suffice.
Option 1 is easy, as I described above.
Option 2 .. is a bit more tricky, as SELinux (afaik) does not provide a default location where both apache and vsftpd can have (read/write) access to. - not per default, that is.
Option 3 is possible using semanage. eg 'semanage fcontext -a -t public_content_rw_t '/var/www(/.*)?' to enable write.. Don't know if FTP has write access to this context.. could be another type you need. read option 4
.
Option 4 would be my favorite. try 'setsebool -P allow_ftpd_full_access 1' and see what happens. This boolean enables the ftp server to access files (r/w) outside the default locations. To verify, make sure SELinux is enforced or watch /var/log/audit/audit.log closely.
Hope this helps.