vsftpd and SELinux

HelplessNewbie · 05-28-2006, 09:22 AM

I was reading some threads about the

Code:

500 OOPS: cannot change directory

error, and somebody mentioned disabling SELinux. I wish to keep SELinux enabled. What variables should I change so that SELinux will allow a directory change to a shared folder with vsftpd?

For example, I currently have the folder /home/web-docs

Code:

drwxrwxrwx  8 apache   web-users 4096 May 19 23:06 web-docs

...and the user www belongs to group web-users, with home folder set to /home/web-docs. I wish to use the account www to log in and upload files to this folder.

Any help or suggestions would be greatly appreciated. Thanks in advance.

macemoneta · 05-28-2006, 10:08 AM

It's a little more complex than just changing a variable, unfortunately. The quick way to do this is:

1- setenforce 0

This will temporary set SELinux to permissive mode. It will still log audits, but not enforce the restrictions.

2- Exercise the application. Use as many features as you reasonably can for the functions you want permitted.

3- setenforce 1

This re-enables enforcing mode.

4- You need to create a directory for a local policy, and create some files. For example:

mkdir /etc/local-selinux-policy
cd /etc/local-selinux-policy
touch local.fc local.if local.pp local.te

5- Add the allow statements to the local policy:

audit2allow -l -a >> local.te

6- Edit the local.te file, and add a header and 'require' definition for each type (the "_t" entries). When you are done, it should look like this example:

Code:

policy_module(local, 1.0)

require {
        type automount_t;
        type bluetooth_helper_t;
        unlabeled_t;
        type xdm_t;
}

allow automount_t unlabeled_t:dir getattr;
allow bluetooth_helper_t xdm_t:fd use;

7- You can now add the local policy with:

/usr/sbin/setenforce 0
cd /etc/local-selinux-policy/
/usr/bin/make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i local.pp
/usr/sbin/setenforce 1

The application should now work, and SELinux is enabled.

There are more details here.

mrbinky3000 · 06-01-2007, 07:03 PM

Fresh out-of-the-box fedora install was missing aureport

Code:

[root@blah vsftpd]# setenforce 0
[root@blah vsftpd]# setenforce 1
[root@blah vsftpd]# mkdir /etc/local-selinux-policy
[root@blah vsftpd]# cd /etc/local-selinux-policy
[root@blah local-selinux-policy]# touch local.fc local.if local.pp local.te
[root@blah local-selinux-policy]# audit2allow -l -a >> local.te
could not run ausearch - "[Errno 2] No such file or directory"

so I googled around and found that ausearch is in an rpm called audit

Code:

yum install audit
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for audit to pack into transaction set.
audit-1.4.2-5.fc6.i386.rp 100% |=========================|  16 kB    00:00
---> Package audit.i386 0:1.4.2-5.fc6 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 audit                   i386       1.4.2-5.fc6      updates           233 k

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 233 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): audit-1.4.2-5.fc6. 100% |=========================| 233 kB    00:04
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: audit                        ######################### [1/1]

Then I ran the last bit again...

Code:

audit2allow -l -a >> local.te
<no matches>

what now?

mrbinky3000 · 06-03-2007, 12:49 PM

Hmmm, this is a bump to see if more people check this on a weekday than on a weekend.

mrbinky3000 · 06-08-2007, 06:23 AM

Bump to see if anyone has any fresh ideas. We're still stuck here.

ALUOp · 06-25-2007, 02:26 AM

I just encountered a similar problem with CentOS 5.
After I turned on vsftpd, I got the OOPS-cannot-change-directory error when I tried to login with an ordinary user account.
Then I noticed a SELinux pop-up at the lower right-hand corner.
I clicked on it and it mentioned an event with the following summary:

Code:

SELinux is preventing the ftp daemon from reading users home directories (home).

But the best thing is it also mentioned the solution:

Code:

If you want ftp to allow users access to their home directories you need to turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1"The following command will allow this access:setsebool -P ftp_home_dir=1

So, I just su to root and do:

Code:

/usr/sbin/setsebool  -P ftp_home_dir=1

And now the user can ftp to his home directory.
Hope this helps.

mrbinky3000 · 08-28-2007, 10:54 AM

Thanks ALUOp

That did it! Just a note for anyone else. I typed in the setsebool command and then immediately tried to log in with my ftp client and it still failed with.

500 OOPS: child died

It takes some time for the setsebool command to update the system. Wait about a minute. If it still fails, then I guess there is something else wrong.

Another note: I am going from memory here, but I think that setsebool is not part of a standard FC6 install. You have to yum install some packages to acquire the ability to edit selinux policies. I don't know the names of these packages off the top of my head.

THANKS!