LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 07-26-2007, 01:46 AM   #1
wayno
Member
 
Registered: May 2007
Location: Brisbane, Australia
Distribution: Fedora 8/9, Xandros (eeepc)
Posts: 110
Blog Entries: 1

Rep: Reputation: 15
SELinux on FTP Server


I've got an FTP server running FC5 (2.6.15-1_2054) and VSFTPD. I built it ages ago but it wasn't required until now so hadn't been fully tested. But now I'm having some issues with SELinux that I'd like to get to the bottom of. It works, in as much as I can log in and shuffle files around happily but I had to set SELinux to permissive and I'd like to get to the bottom of the warning messages. It is a web-facing server (albeit behind a couple of firewalls) so I would like to have SELinux enforcing policy.

When I log on via FTP, the console shows:
Code:
audit(1185428245.177:189): avc: denied {write } for pid=3236 comm="vsftpd" 
name="user1" dev=sdb2 ino=6062081 scontext=system_u:system_r:ftpd_t:s0 
tcontext=root:object_r:file_t:s0 tclass=dir
When I 'put' a file onto the server, the console shows:
Code:
audit(1185426425.063:177): avc: denied { append } for pid=3092 comm="vsftpd" 
name="myfile.txt" dev=sdb2 ino=6062083 scontext=system_u:system_r:ftpd_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=file
Code:
audie(1185426425.075:178): avc" denied {write } for pid=3092 comm="vsftpd" 
name="myfile.txt" dev=sdb2 ino=6062083 scontext=system_u:system_r:ftpd_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=file
When I try to delete the file, I get a message like the second one above.

FTP is configured to lock users into their home directories, which exist under /ftp (which is actually a seperate hard disk /dev/sdb2 mounted under /mnt but I don't think that matters?). An 'ls -allZ' for /ftp shows:
Code:
drwxr-xr-x root root system_u:object_r:ftpd_t ftp
(I tried changing the owner of the FTP directory to ftp:ftp but it made no difference.)

I've tried to read up on SELinux but .... well .... I get the principle of it but a lot of the actual workings are going whoooosh! over my head at the moment.

Can anyone offer any advice?

Last edited by wayno; 07-26-2007 at 02:15 AM.
 
Old 07-26-2007, 08:44 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
The problem is that ftp, being a completely insecure legacy protocol, should only be used for anonymous login (all userids and passwords are sent in clear text). In order to use ftp with user logins, you'll need to disable the protections that keep it contained to that state.

I'm not sure if these options are available back on FC5, but you can try:

setsebool ftp_home_dir on

and if necessary:

setsebool allow_ftpd_anon_write on
setsebool allow_ftpd_full_access on

If none of those work, go to:

setsebool ftpd_disable_trans on

Last edited by macemoneta; 07-26-2007 at 08:45 PM.
 
Old 07-27-2007, 09:55 AM   #3
wayno
Member
 
Registered: May 2007
Location: Brisbane, Australia
Distribution: Fedora 8/9, Xandros (eeepc)
Posts: 110

Original Poster
Blog Entries: 1

Rep: Reputation: 15
Quote:
Originally Posted by macemoneta
The problem is that ftp, being a completely insecure legacy protocol, should only be used for anonymous login (all userids and passwords are sent in clear text). In order to use ftp with user logins, you'll need to disable the protections that keep it contained to that state.

I'm not sure if these options are available back on FC5, but you can try:

setsebool ftp_home_dir on

and if necessary:

setsebool allow_ftpd_anon_write on
setsebool allow_ftpd_full_access on

If none of those work, go to:

setsebool ftpd_disable_trans on
Thanks for this. The problem is that the client needs to offer FTP access to their clients. Security isn't a huge issue as the accounts are created as required and deleted when finished with. I'll give your suggestions a go on Monday (today is a public holiday here ).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
config selinux to run apache server rlee923 Linux - Software 3 03-16-2007 06:31 AM
SELinux and Darwin Streaming Media Server mrbinky3000 Linux - Newbie 6 02-05-2007 02:42 PM
Securing server - SELinux or iptables or both? pingu Linux - Networking 2 11-10-2005 05:07 AM
mail server grsecurity-selinux zuessh Linux - Security 1 04-26-2005 02:52 PM
ftp + selinux MWFlint Linux - Software 0 10-12-2004 08:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 12:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration