Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 05-28-2006, 10:22 AM   #1
LQ Newbie
Registered: Aug 2004
Distribution: Ubuntu 6.10
Posts: 11

Rep: Reputation: 0
vsftpd and SELinux

I was reading some threads about the

500 OOPS: cannot change directory
error, and somebody mentioned disabling SELinux. I wish to keep SELinux enabled. What variables should I change so that SELinux will allow a directory change to a shared folder with vsftpd?

For example, I currently have the folder /home/web-docs

drwxrwxrwx  8 apache   web-users 4096 May 19 23:06 web-docs
...and the user www belongs to group web-users, with home folder set to /home/web-docs. I wish to use the account www to log in and upload files to this folder.

Any help or suggestions would be greatly appreciated. Thanks in advance.
Old 05-28-2006, 11:08 AM   #2
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
It's a little more complex than just changing a variable, unfortunately. The quick way to do this is:

1- setenforce 0

This will temporary set SELinux to permissive mode. It will still log audits, but not enforce the restrictions.

2- Exercise the application. Use as many features as you reasonably can for the functions you want permitted.

3- setenforce 1

This re-enables enforcing mode.

4- You need to create a directory for a local policy, and create some files. For example:

mkdir /etc/local-selinux-policy
cd /etc/local-selinux-policy
touch local.fc local.if local.pp local.te

5- Add the allow statements to the local policy:

audit2allow -l -a >> local.te

6- Edit the local.te file, and add a header and 'require' definition for each type (the "_t" entries). When you are done, it should look like this example:

policy_module(local, 1.0)

require {
        type automount_t;
        type bluetooth_helper_t;
        type xdm_t;

allow automount_t unlabeled_t:dir getattr;
allow bluetooth_helper_t xdm_t:fd use;
7- You can now add the local policy with:

/usr/sbin/setenforce 0
cd /etc/local-selinux-policy/
/usr/bin/make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i local.pp
/usr/sbin/setenforce 1

The application should now work, and SELinux is enabled.

There are more details here.

Last edited by macemoneta; 05-28-2006 at 11:11 AM.
Old 06-01-2007, 08:03 PM   #3
LQ Newbie
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0
missing aureport

Fresh out-of-the-box fedora install was missing aureport

[root@blah vsftpd]# setenforce 0
[root@blah vsftpd]# setenforce 1
[root@blah vsftpd]# mkdir /etc/local-selinux-policy
[root@blah vsftpd]# cd /etc/local-selinux-policy
[root@blah local-selinux-policy]# touch local.fc local.if local.pp local.te
[root@blah local-selinux-policy]# audit2allow -l -a >> local.te
could not run ausearch - "[Errno 2] No such file or directory"
so I googled around and found that ausearch is in an rpm called audit

yum install audit
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for audit to pack into transaction set.
audit-1.4.2-5.fc6.i386.rp 100% |=========================|  16 kB    00:00
---> Package audit.i386 0:1.4.2-5.fc6 set to be updated
--> Running transaction check

Dependencies Resolved

 Package                 Arch       Version          Repository        Size
 audit                   i386       1.4.2-5.fc6      updates           233 k

Transaction Summary
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 233 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): audit-1.4.2-5.fc6. 100% |=========================| 233 kB    00:04
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: audit                        ######################### [1/1]
Then I ran the last bit again...

audit2allow -l -a >> local.te
<no matches>
what now?
Old 06-03-2007, 01:49 PM   #4
LQ Newbie
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0

Hmmm, this is a bump to see if more people check this on a weekday than on a weekend.
Old 06-08-2007, 07:23 AM   #5
LQ Newbie
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0

Bump to see if anyone has any fresh ideas. We're still stuck here.
Old 06-25-2007, 03:26 AM   #6
LQ Newbie
Registered: May 2005
Posts: 4

Rep: Reputation: 1
I just encountered a similar problem with CentOS 5.
After I turned on vsftpd, I got the OOPS-cannot-change-directory error when I tried to login with an ordinary user account.
Then I noticed a SELinux pop-up at the lower right-hand corner.
I clicked on it and it mentioned an event with the following summary:

SELinux is preventing the ftp daemon from reading users home directories (home).
But the best thing is it also mentioned the solution:
If you want ftp to allow users access to their home directories you need to turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1"The following command will allow this access:setsebool -P ftp_home_dir=1
So, I just su to root and do:
/usr/sbin/setsebool  -P ftp_home_dir=1
And now the user can ftp to his home directory.
Hope this helps.

Last edited by ALUOp; 06-25-2007 at 03:29 AM.
1 members found this post helpful.
Old 08-28-2007, 11:54 AM   #7
LQ Newbie
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0
Smile Finally! Fixed!!!!

Thanks ALUOp

That did it! Just a note for anyone else. I typed in the setsebool command and then immediately tried to log in with my ftp client and it still failed with.

500 OOPS: child died

It takes some time for the setsebool command to update the system. Wait about a minute. If it still fails, then I guess there is something else wrong.

Another note: I am going from memory here, but I think that setsebool is not part of a standard FC6 install. You have to yum install some packages to acquire the ability to edit selinux policies. I don't know the names of these packages off the top of my head.


Last edited by mrbinky3000; 08-28-2007 at 11:56 AM. Reason: corretions and amendments


audit, fc5, fc6, fedora, selinux, vsftpd

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd settingd and VSFTPD DEAD BUT SUBSYS LOCKED pc_copat Linux - Newbie 15 11-05-2009 11:31 PM
vsftpd.conf/chroot/vsftpd.chroot_list issue Jerman Linux - Security 2 06-01-2007 08:24 PM
vsftpd, web uploads, vsftpd virtual users, apache virtual hosts, home directories jerryasher Linux - Software 7 02-18-2007 07:29 AM
vsftpd & ssl - how do I tell if it's actually vsftpd maintaining the connections?? hunterhunter Linux - General 0 03-27-2006 05:41 PM
VSFTPD with 500 oops :vsftpd: missing argv[0] mole_13 Linux - Newbie 0 05-04-2005 02:05 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:29 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration