LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 05-28-2006, 09:22 AM   #1
HelplessNewbie
LQ Newbie
 
Registered: Aug 2004
Distribution: Ubuntu 6.10
Posts: 11

Rep: Reputation: 0
vsftpd and SELinux


I was reading some threads about the

Code:
500 OOPS: cannot change directory
error, and somebody mentioned disabling SELinux. I wish to keep SELinux enabled. What variables should I change so that SELinux will allow a directory change to a shared folder with vsftpd?

For example, I currently have the folder /home/web-docs

Code:
drwxrwxrwx  8 apache   web-users 4096 May 19 23:06 web-docs
...and the user www belongs to group web-users, with home folder set to /home/web-docs. I wish to use the account www to log in and upload files to this folder.

Any help or suggestions would be greatly appreciated. Thanks in advance.
 
Old 05-28-2006, 10:08 AM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
It's a little more complex than just changing a variable, unfortunately. The quick way to do this is:

1- setenforce 0

This will temporary set SELinux to permissive mode. It will still log audits, but not enforce the restrictions.

2- Exercise the application. Use as many features as you reasonably can for the functions you want permitted.

3- setenforce 1

This re-enables enforcing mode.

4- You need to create a directory for a local policy, and create some files. For example:

mkdir /etc/local-selinux-policy
cd /etc/local-selinux-policy
touch local.fc local.if local.pp local.te

5- Add the allow statements to the local policy:

audit2allow -l -a >> local.te

6- Edit the local.te file, and add a header and 'require' definition for each type (the "_t" entries). When you are done, it should look like this example:

Code:
policy_module(local, 1.0)

require {
        type automount_t;
        type bluetooth_helper_t;
        unlabeled_t;
        type xdm_t;
}

allow automount_t unlabeled_t:dir getattr;
allow bluetooth_helper_t xdm_t:fd use;
7- You can now add the local policy with:

/usr/sbin/setenforce 0
cd /etc/local-selinux-policy/
/usr/bin/make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i local.pp
/usr/sbin/setenforce 1

The application should now work, and SELinux is enabled.

There are more details here.

Last edited by macemoneta; 05-28-2006 at 10:11 AM.
 
Old 06-01-2007, 07:03 PM   #3
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0
missing aureport

Fresh out-of-the-box fedora install was missing aureport

Code:
[root@blah vsftpd]# setenforce 0
[root@blah vsftpd]# setenforce 1
[root@blah vsftpd]# mkdir /etc/local-selinux-policy
[root@blah vsftpd]# cd /etc/local-selinux-policy
[root@blah local-selinux-policy]# touch local.fc local.if local.pp local.te
[root@blah local-selinux-policy]# audit2allow -l -a >> local.te
could not run ausearch - "[Errno 2] No such file or directory"
so I googled around and found that ausearch is in an rpm called audit

Code:
yum install audit
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for audit to pack into transaction set.
audit-1.4.2-5.fc6.i386.rp 100% |=========================|  16 kB    00:00
---> Package audit.i386 0:1.4.2-5.fc6 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 audit                   i386       1.4.2-5.fc6      updates           233 k

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 233 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): audit-1.4.2-5.fc6. 100% |=========================| 233 kB    00:04
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: audit                        ######################### [1/1]
Then I ran the last bit again...

Code:
audit2allow -l -a >> local.te
<no matches>
what now?
 
Old 06-03-2007, 12:49 PM   #4
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0
bump

Hmmm, this is a bump to see if more people check this on a weekday than on a weekend.
 
Old 06-08-2007, 06:23 AM   #5
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0
Bump

Bump to see if anyone has any fresh ideas. We're still stuck here.
 
Old 06-25-2007, 02:26 AM   #6
ALUOp
LQ Newbie
 
Registered: May 2005
Posts: 4

Rep: Reputation: 1
I just encountered a similar problem with CentOS 5.
After I turned on vsftpd, I got the OOPS-cannot-change-directory error when I tried to login with an ordinary user account.
Then I noticed a SELinux pop-up at the lower right-hand corner.
I clicked on it and it mentioned an event with the following summary:

Code:
SELinux is preventing the ftp daemon from reading users home directories (home).
But the best thing is it also mentioned the solution:
Code:
If you want ftp to allow users access to their home directories you need to turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1"The following command will allow this access:setsebool -P ftp_home_dir=1
So, I just su to root and do:
Code:
/usr/sbin/setsebool  -P ftp_home_dir=1
And now the user can ftp to his home directory.
Hope this helps.

Last edited by ALUOp; 06-25-2007 at 02:29 AM.
 
1 members found this post helpful.
Old 08-28-2007, 10:54 AM   #7
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0
Smile Finally! Fixed!!!!

Thanks ALUOp

That did it! Just a note for anyone else. I typed in the setsebool command and then immediately tried to log in with my ftp client and it still failed with.

500 OOPS: child died

It takes some time for the setsebool command to update the system. Wait about a minute. If it still fails, then I guess there is something else wrong.

Another note: I am going from memory here, but I think that setsebool is not part of a standard FC6 install. You have to yum install some packages to acquire the ability to edit selinux policies. I don't know the names of these packages off the top of my head.

THANKS!

Last edited by mrbinky3000; 08-28-2007 at 10:56 AM. Reason: corretions and amendments
 
  


Reply

Tags
audit, fc5, fc6, fedora, selinux, vsftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd settingd and VSFTPD DEAD BUT SUBSYS LOCKED pc_copat Linux - Newbie 15 11-05-2009 10:31 PM
vsftpd.conf/chroot/vsftpd.chroot_list issue Jerman Linux - Security 2 06-01-2007 07:24 PM
vsftpd, web uploads, vsftpd virtual users, apache virtual hosts, home directories jerryasher Linux - Software 7 02-18-2007 06:29 AM
vsftpd & ssl - how do I tell if it's actually vsftpd maintaining the connections?? hunterhunter Linux - General 0 03-27-2006 04:41 PM
VSFTPD with 500 oops :vsftpd: missing argv[0] mole_13 Linux - Newbie 0 05-04-2005 01:05 AM


All times are GMT -5. The time now is 05:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration