Why is SELinux blocking my FTP uploads?
I've set up a box with CentOS 6.3, Apache, PHP, MySQL, and Vsftpd to learn on in a LAN in my home.
Here's my problem: When I try to upload a test file to the /var/www/html/ folder via ftp, FileZilla reports: "553 could not create file. Critical file transfer error". However, when I disable SELinux with Code:
setenforce 0 Code:
setenforce 1 It may help to note that I can write to this folder when logged in locally to CentOS using the same user/password combo for Terminal/GNOME that I use with FileZilla remotely, I just can't do it via FTP if SELinux is enabled. Any idea how I can keep SELinux enabled and still allow me the FTP access I want? If it helps the diagnosis, here is my Code:
sestatus Code:
SELinux status: enabled Quote:
Code:
abrt_anon_write --> off Any suggestions? |
Well it's going to come down to the selinux attributes of the directory/files you are trying to upload to or overwrite.
run an ls -z to see its attributes. Then we can work from there and turn on or off the attributes that are causing the problems ---------- Post added 01-14-13 at 01:17 PM ---------- http://docs.fedoraproject.org/en-US/...ing_Files.html http://www.centos.org/docs/5/html/De...pter-0017.html |
[QUOTE=Kustom42;4869918]Run an ls -z to see its attributes. Then we can work from there and turn on or off the attributes that are causing the problems[COLOR="Silver"]
Here are the permissions for /var/www/ folder Code:
drwxrwxr-x. 6 apache apache 4096 Jan 12 06:40 . Code:
drwxrwxr-x. 2 apache apache 4096 Jan 14 12:04 . |
That is your file permissions output, not your selinux context output. I believe it is a capital -Z so that was my mistake in original post.
Post the output of an ls passing the -Z option to see the selinux context. |
Here is [root@localhost www]# ls -Z
Code:
drwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 cgi-bin Code:
-rwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 info.php |
You can do some searching for "vsftpd selinux content" and I would highly recommend it before changing anything so you can understand what you're dealing with here but if you run this command in the directory you should be ok to access it via FTP with selinux enabled.
Code:
/usr/sbin/setsebool -P ftp_home_dir=1 |
Actually, I did come across
Code:
/usr/sbin/setsebool -P ftp_home_dir=1 I've also seen Quote:
Code:
/usr/sbin/setsebool -P ftp_home_dir= on I also tried rebooting in case SELinux needed to restart after changes, but no joy. What next? (I really appreciatye your time by the way...) |
Code:
setsebool -P allow_ftpd_full_access=1 This will give FULL access to the ftp daemon throughout the file system. Since the directories are running your apache sites it's best not to mess with the user context as it could prevent apache from having proper access to the files. ---------- Post added 01-14-13 at 04:47 PM ---------- The previous suggestion about the ftp_home_dir allows the ftp connection for the user to reach thier home directory, so unless your user has a home directory of /var/www/ it wouldnt work, I just wanted to make sure that wasnt apart of the issue. |
I would first look at what VsFTPd logs error-wise, then check /var/log/messages and /var/log/audit/audit.log (if you have it) for related errors and see the actual FileZilla debug log entries. A very quick way to diagnose would be to run 'audit2allow < /var/log/audit/audit.log | tee /tmp/report.txt' then attach "/tmp/report.txt" as plain text.
|
Quote:
My end goal is to be able to rw into /var/www/html/ and any future recursive (I think that's the term) while SELinux is enabled. |
I think you're going to need
Code:
chcon -t public_content_rw_t <target_dir> Something like Code:
semanage fcontext -a -t public_content_rw_t <target_dir> |
Quote:
Code:
type=DAEMON_START msg=audit(1358212978.897:2943): auditd start, ver=2.2 format=raw kernel=2.6.32-279.19.1.el6.i686 auid=4294967295 pid=1310 subj=system_u:system_r:auditd_t:s0 res=success It is too long for this post, but I'll list the contents of a FileZilla log in another one. Lastly, you suggested I: Code:
audit2allow < /var/log/audit/audit.log | tee /tmp/report.txt I hope some of the above helps. |
Quote:
Code:
2013-01-14 21:04:03 1716 3 Status: Connecting to 192.168.15.5:21... |
Quote:
Code:
[root@localhost ~]# chcon -t public_content_rw_t <target_dir> Quote:
|
Don't use < & > chars; that's just a typing format to show you that you should substitute your value there; in other words
Code:
chcon -t public_content_rw_t /var/www/html This may also be useful Chap 44 http://www.linuxtopia.org/online_boo...ion/index.html |
All times are GMT -5. The time now is 09:15 AM. |