Hi, I've configured my vsftpd to use chroot for a ftp account. So whenever a ftp user logs in, they'll be chroot to /ftpuser. However, it appears that SELinux is having an issue with this and I have to issue the following command in order to do uploads...
Code:
setsebool -P allow_ftpd_full_access=1
Somehow this doesn't appear to be the right approach. Has anyone else encountered similar issue?
Following is the SELinux message...
Code:
[root@uat ~]# sealert -l 83137bfa-1735-4107-bdb7-f7cd762174de
Summary:
SELinux is preventing the ftp daemon from writing files outside the home
directory (./ftpuser).
Detailed Description:
SELinux has denied the ftp daemon write access to directories outside the home
directory (./ftpuser). Someone has logged in via your ftp daemon and is trying to
create or write a file. If you only setup ftp to allow anonymous ftp, this could
signal a intrusion attempt.
Allowing Access:
If you do not want SELinux preventing ftp from writing files anywhere on the
system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
allow_ftpd_full_access=1"
The following command will allow this access:
setsebool -P allow_ftpd_full_access=1
Additional Information:
Source Context root:system_r:ftpd_t
Target Context root:object_r:usr_t
Target Objects ./ftpuser [ dir ]
Source vsftpd
Source Path /usr/sbin/vsftpd
Port <Unknown>
Host test.mysite.com
Source RPM Packages vsftpd-2.0.5-16.el5_5.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_ftpd_full_access
Host Name test.mysite.com
Platform Linux test.mysite.com 2.6.18-194.el5 #1 SMP Fri
Apr 2 14:58:14 EDT 2010 x86_64 x86_64
Alert Count 2
First Seen Mon Oct 4 12:31:27 2010
Last Seen Mon Oct 4 12:34:28 2010
Local ID 83137bfa-1735-4107-bdb7-f7cd762174de
Line Numbers
Raw Audit Messages
host=test.mysite.com type=AVC msg=audit(1286220868.906:8856): avc: denied { write } for pid=19649 comm="vsftpd" name="ftpuser" dev=dm-0 ino=850386 scontext=root:system_r:ftpd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir
host=test.mysite.com type=SYSCALL msg=audit(1286220868.906:8856): arch=c000003e syscall=83 success=no exit=-13 a0=2b21eefe1330 a1=1ff a2=1 a3=0 items=0 ppid=19645 pid=19649 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=841 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)