LinuxQuestions.org - vsftpd and SELinux

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - vsftpd and SELinux (https://www.linuxquestions.org/questions/linux-software-2/vsftpd-and-selinux-449313/)

vsftpd and SELinux

I was reading some threads about the

Code:

500 OOPS: cannot change directory

error, and somebody mentioned disabling SELinux. I wish to keep SELinux enabled. What variables should I change so that SELinux will allow a directory change to a shared folder with vsftpd?

For example, I currently have the folder /home/web-docs

Code:

drwxrwxrwx 8 apache web-users 4096 May 19 23:06 web-docs

...and the user www belongs to group web-users, with home folder set to /home/web-docs. I wish to use the account www to log in and upload files to this folder.

Any help or suggestions would be greatly appreciated. Thanks in advance.

It's a little more complex than just changing a variable, unfortunately. The quick way to do this is:

1- setenforce 0

This will temporary set SELinux to permissive mode. It will still log audits, but not enforce the restrictions.

2- Exercise the application. Use as many features as you reasonably can for the functions you want permitted.

3- setenforce 1

This re-enables enforcing mode.

4- You need to create a directory for a local policy, and create some files. For example:

mkdir /etc/local-selinux-policy
cd /etc/local-selinux-policy
touch local.fc local.if local.pp local.te

5- Add the allow statements to the local policy:

audit2allow -l -a >> local.te

6- Edit the local.te file, and add a header and 'require' definition for each type (the "_t" entries). When you are done, it should look like this example:

Code:

policy_module(local, 1.0)



require {

        type automount_t;

        type bluetooth_helper_t;

        unlabeled_t;

        type xdm_t;

}



allow automount_t unlabeled_t:dir getattr;

allow bluetooth_helper_t xdm_t:fd use;

7- You can now add the local policy with:

/usr/sbin/setenforce 0
cd /etc/local-selinux-policy/
/usr/bin/make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i local.pp
/usr/sbin/setenforce 1

The application should now work, and SELinux is enabled.

There are more details here.

missing aureport

Fresh out-of-the-box fedora install was missing aureport

Code:

[root@blah vsftpd]# setenforce 0

[root@blah vsftpd]# setenforce 1

[root@blah vsftpd]# mkdir /etc/local-selinux-policy

[root@blah vsftpd]# cd /etc/local-selinux-policy

[root@blah local-selinux-policy]# touch local.fc local.if local.pp local.te

[root@blah local-selinux-policy]# audit2allow -l -a >> local.te

could not run ausearch - "[Errno 2] No such file or directory"

so I googled around and found that ausearch is in an rpm called audit

Code:

yum install audit

Loading "installonlyn" plugin

Setting up Install Process

Setting up repositories

Reading repository metadata in from local files

Parsing package install arguments

Resolving Dependencies

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for audit to pack into transaction set.

audit-1.4.2-5.fc6.i386.rp 100% |=========================|  16 kB    00:00

---> Package audit.i386 0:1.4.2-5.fc6 set to be updated

--> Running transaction check



Dependencies Resolved



=============================================================================

 Package                Arch      Version          Repository        Size

=============================================================================

Installing:

 audit                  i386      1.4.2-5.fc6      updates          233 k



Transaction Summary

=============================================================================

Install      1 Package(s)

Update      0 Package(s)

Remove      0 Package(s)



Total download size: 233 k

Is this ok [y/N]: y

Downloading Packages:

(1/1): audit-1.4.2-5.fc6. 100% |=========================| 233 kB    00:04

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

  Installing: audit                        ######################### [1/1]

Then I ran the last bit again...

Code:

audit2allow -l -a >> local.te

<no matches>

what now?

Hmmm, this is a bump to see if more people check this on a weekday than on a weekend.

Bump to see if anyone has any fresh ideas. We're still stuck here.

I just encountered a similar problem with CentOS 5.
After I turned on vsftpd, I got the OOPS-cannot-change-directory error when I tried to login with an ordinary user account.
Then I noticed a SELinux pop-up at the lower right-hand corner.
I clicked on it and it mentioned an event with the following summary:

Code:

SELinux is preventing the ftp daemon from reading users home directories (home).

But the best thing is it also mentioned the solution:

Code:

If you want ftp to allow users access to their home directories you need to turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1"The following command will allow this access:setsebool -P ftp_home_dir=1

So, I just su to root and do:

Code:

/usr/sbin/setsebool -P ftp_home_dir=1

And now the user can ftp to his home directory.
Hope this helps.

Finally! Fixed!!!!

Thanks ALUOp

That did it! Just a note for anyone else. I typed in the setsebool command and then immediately tried to log in with my ftp client and it still failed with.

500 OOPS: child died

It takes some time for the setsebool command to update the system. Wait about a minute. If it still fails, then I guess there is something else wrong.

Another note: I am going from memory here, but I think that setsebool is not part of a standard FC6 install. You have to yum install some packages to acquire the ability to edit selinux policies. I don't know the names of these packages off the top of my head.

THANKS!