Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I thought about what chris suggested but that will cause issues with apache having access to the files due to selinux being enforeced. If it was in permissive mode or disabled it would work with the public_content_rw_t
Enable the boolean i suggested and it will work. No need to modify the context of the directories or files here.
Perfect chrism01! Once you pointed out I didn't need the <> and I referenced Chap 44, your suggestion worked in conjunction with the change to the booleans from post #8 (as you also suggested). No reboot needed.
For others in a similar situation, I'll summarize what I did in the end:
I then I was able to drag and drop in FileZilla from my remote local to my server's /var/www/html without the 553 error which started all of this. Afterwards, I checked
Code:
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
which told me my upload was sucessful while still having SELinux enabled.
Lastly, per unSpawns request here are the resulting booleans:
Code:
[root@localhost ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
I take it that these are typical and satisfactory?
Yes that looks satisfactory. Is apache still able to serve your web files now that you have modified the directory selinux context? from my past experience it shouldnt work if selinux is in enforcing mode. just want to double check
Yes that looks satisfactory. Is apache still able to serve your web files now that you have modified the directory selinux context? from my past experience it shouldnt work if selinux is in enforcing mode. just want to double check
Just checked and with sestatus reporting that SELinux is enabled / enforcing, I can still successfully access:
the Apache test page
a test index.php that I uploaded /var/www/html/
and phpMySQL
I've did a lot of monkeying around trying to solve my initial problem before posting my initial question, so perhaps I did something that I haven't described that makes my system is behaving differently than what you expected. Now that I've installed LAMP once, I have half a mind to so a completely fresh install to help set the process in my mind.
Thanks to everyone for getting me over this hump. What a great community.
Before I close the thread as solved, I've been researching how to give the same rw access to not just /var/www/html/ but all subsequent dir I put into it as any additional dir I've made such as /var/www/html/testdir/ all report the original 553 ftp error when I try to upload into it.
The -R is a recursive option, but remember that there are multiple attributes in selinux. The -t is the type context, you also have user and role which play a factor. Do an ls -Z on the new directory and compare to the the others
here are the resulting booleans: (..) I take it that these are typical and satisfactory?
You can actually check them yourself against what nfo 'man ftpd_selinux' offers.
Quote:
Originally Posted by fakefake
I've did a lot of monkeying around trying to solve my initial problem before posting my initial question, so perhaps I did something that I haven't described that makes my system is behaving differently than what you expected.
I use a log file to jot down changes by date. When a problem occurs it's easier to look for clues in a file than having to rely on memory alone. Plus revision control makes it easy to revert configuration should it be necessary.
Quote:
Originally Posted by fakefake
Now that I've installed LAMP once, I have half a mind to so a completely fresh install to help set the process in my mind.
If learning to do things properly and verifying what you learned is applicable as a standard procedure then I can only applaud that.
Quote:
Originally Posted by fakefake
Before I close the thread as solved, I've been researching how to give the same rw access to not just /var/www/html/ but all subsequent dir I put into it as any additional dir I've made such as /var/www/html/testdir/ all report the original 553 ftp error when I try to upload into it. I've tried variations of:
as I thought the -R would give me recursive access to all child dirs of html, but that hasn't been the case.
The easiest way would be to apply the 'semanage fcontext' command chrism01 mentioned in post #11 (also in 'man ftpd_selinux' BTW) first. That adds a permanent record (to /etc/selinux/${POLICYNAME}/contexts/files/file_contexts.local) so that when you create a file or directory it starts out with the right context and that when the 'restorecond' service comes across it it won't revert the context back to what it knows it is.
Thanks. I also just realized that anytime I create new directories within /var/www/html/ I also need to change the GROUP to apache and set the permissions to 755 if I want the FTP via httpd to be able to read/write to them. I'm currently doing this by:
# chown -R MYUSERNAME:apache /var/www/html/
# chmod 755 -R /var/www/html/
I still need to figure out how to set the "Folder Access" to read and write via the command line, but as I can currently do that via GNOME by right clicking a folder and clicking PERMISSIONS->and changing the GROUPS folder access to CREATE & DELETE manualy, I'll consider my problem solved and work on the rest by myself.
The location of the numeric digit indicates which set of permissions to apply.
So you have
chmod 755
The first digit is your owner the second digit is your group and the last digit is everyone else that is not a the owner of the file or a member of the group on the file.
Actually, in my RH manual it says to try chcon first, then test it, then semanage to fix it in place.
Basically, chcon will last until an SELinux relabel occurs. semanage (as explained by unSpawn) actually alters the SELinux Policy, so that the change will even survive an SELinux relabel.
[root@prodserver output]# getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> on
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> on
[root@prodserver output]#
5 years later - today -
the SElinux kernel almost never gives me issues except for a NEW system install on new hardware and the initial set up of NON standard software
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.