vsftpd and SELinux
I was reading some threads about the
Code:
500 OOPS: cannot change directory For example, I currently have the folder /home/web-docs Code:
drwxrwxrwx 8 apache web-users 4096 May 19 23:06 web-docs Any help or suggestions would be greatly appreciated. Thanks in advance. |
It's a little more complex than just changing a variable, unfortunately. The quick way to do this is:
1- setenforce 0 This will temporary set SELinux to permissive mode. It will still log audits, but not enforce the restrictions. 2- Exercise the application. Use as many features as you reasonably can for the functions you want permitted. 3- setenforce 1 This re-enables enforcing mode. 4- You need to create a directory for a local policy, and create some files. For example: mkdir /etc/local-selinux-policy cd /etc/local-selinux-policy touch local.fc local.if local.pp local.te 5- Add the allow statements to the local policy: audit2allow -l -a >> local.te 6- Edit the local.te file, and add a header and 'require' definition for each type (the "_t" entries). When you are done, it should look like this example: Code:
policy_module(local, 1.0) /usr/sbin/setenforce 0 cd /etc/local-selinux-policy/ /usr/bin/make -f /usr/share/selinux/devel/Makefile /usr/sbin/semodule -i local.pp /usr/sbin/setenforce 1 The application should now work, and SELinux is enabled. There are more details here. |
missing aureport
Fresh out-of-the-box fedora install was missing aureport
Code:
[root@blah vsftpd]# setenforce 0 Code:
yum install audit Code:
audit2allow -l -a >> local.te |
bump
Hmmm, this is a bump to see if more people check this on a weekday than on a weekend.
|
Bump
Bump to see if anyone has any fresh ideas. We're still stuck here.
|
I just encountered a similar problem with CentOS 5.
After I turned on vsftpd, I got the OOPS-cannot-change-directory error when I tried to login with an ordinary user account. Then I noticed a SELinux pop-up at the lower right-hand corner. I clicked on it and it mentioned an event with the following summary: Code:
SELinux is preventing the ftp daemon from reading users home directories (home). Code:
If you want ftp to allow users access to their home directories you need to turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1"The following command will allow this access:setsebool -P ftp_home_dir=1 Code:
/usr/sbin/setsebool -P ftp_home_dir=1 Hope this helps. |
Finally! Fixed!!!!
Thanks ALUOp
That did it! Just a note for anyone else. I typed in the setsebool command and then immediately tried to log in with my ftp client and it still failed with. 500 OOPS: child died It takes some time for the setsebool command to update the system. Wait about a minute. If it still fails, then I guess there is something else wrong. Another note: I am going from memory here, but I think that setsebool is not part of a standard FC6 install. You have to yum install some packages to acquire the ability to edit selinux policies. I don't know the names of these packages off the top of my head. THANKS! |
All times are GMT -5. The time now is 07:19 PM. |