How can I tell SELinux to give vsftpd write access in a specific directory?
Solution 1
# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"
Be sure to include the (/.*)?
at the end of the directory name.
I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t; this is equivalent to turning on allow_ftpd_full_access, if I understood it correctly
Essentially, yes; since SELinux allows directories/files labeled with public_content_t
to be shared between different services. However, further access control is in place through the use of sebooleans
(or sebool
, more precisely).
Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning, ftpd
is allowed to read files if the directory's file context (fcontext
) is public_content_t
. SELinux gives write permissions to the ftp server if the directory's fcontext is public_content_rw_t
; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelled public_content_t
, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with the public_content_rw_t
context, and removing your custom generated local policy.
For further information and details, please see the SELinux wiki pages.
Solution 2
Try this:
setsebool -P allow_ftpd_full_access on
If SELinux is to blame, there's a few SELinux booleans worth looking at.
Best start is: getsebool -a | grep ftp
You'll see something like
allow_ftpd_anon_write --> off allow_ftpd_full_access --> on allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off
Not all of these are relevant to vsftpd, for example the >httpd_enable_ftp_server is for Apache running FTP, and tftp_anon_write is for >tftpd. I'd start with:
setsebool -P allow_ftpd_full_access on setsebool -P ftp_home_dir on
Source: https://www.centos.org/forums/viewtopic.php?t=8129
Related videos on Youtube
![Castaglia](https://i.stack.imgur.com/tKkUM.jpg?s=256&g=1)
Castaglia
Backend service engineer by day, open source maintainer/developer by night. I've been working at various startups in Silicon Valley for 10+ years now, and have a lot of fun doing it; I'm looking to several more decades of this kind of work. Fun fact: my educational background is actually in medieval history, not computer science. Being mostly self-taught in this field has its disadvantages and advantages, and it's interesting and surprising to see what expectations folks have for developers these days.
Updated on September 17, 2022Comments
-
Castaglia almost 2 years
I've set up vsftpd on my Fedora 12 server, and I'd like to have the following configuration. Each user should have access to:
- his home directory (/home/USER);
- the web directory I created for him (/web/USER).
To achieve this, I first configured vsftpd to chroot each user to his home directory. Then, I created
/web/USER
with the correct permissions, and usedmount --bind /web/USER /home/USER/Web
so that the user may have access to/web/USER
through/home/USER/Web
.I also turned on the SELinux boolean
ftp_home_dir
so that vsftpd is allowed to write in users' home directories.This works very well, except that when a user tries to upload or rename a file in
/home/USER/Web
, SELinux forbids it because the change must also be done to/web/USER
, and SELinux doesn't give vsftpd permission to write anything to that directory.I know that I could solve the problem by turning on the SELinux boolean
allow_ftpd_full_access
, orftpd_disable_trans
. I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of typepublic_content_t
; this is equivalent to turning onallow_ftpd_full_access
, if I understood it correctly.I'd like to know if it's possible to configure SELinux to allow FTP write access to the specific directory
/web/USER
and its contents, instead of disabling SELinux's FTP controls entirely. -
Pavel Šimerda over 10 yearsShouldn't it be enough to just
chcon
the directory to the right context? -
ILMostro_7 over 10 yearschcon is for temporary changes,
semanage
is persistent; also, there's a difference between the two in thatchcon
changes the file on the FS, whilesemanage
updates the policy itself with the new info, as mentioned in this mailing list entry -
Pavel Šimerda over 10 yearsI'm afraid this information not precise, at the least. The fact that
chcon
works on the filesystem also means it is permanent, not temporary, and lasts until the context is changed again (e.g. bychcon
or byrestorecon
). On the other hand,semanage
IMO just updates the database and doesn't change the file context which would render this answer incomplete. According to the mailing list, you have to usesemanage
andrestorecon
as a replacement forchcon
, not onlysemanage
. -
ILMostro_7 over 10 yearsright...since SELinux is guided by the database, any changes to SELinux's policy would render the
chcon
incompatible. DAC is used before SELinux to check for rwx permissions, after which SELinux's MAC policy decides whether the process is allowed access within the scope/context of the FS directories/files. -
ILMostro_7 over 10 yearsTake a look at SELinux's Wiki page for further explanation and details.
-
Pavel Šimerda over 10 yearsWell the kernel selinux module doesn't use the path database at all. And you seem to ignore my last comment where I warned you that modifying the database doesn't result in modified file context. You seem to assume that the path database is part of the in-kernel selinux policy which is wrong.