SELinux Write access for vsftpd and samba
I figured it out from this: http://selinuxproject.org/page/SambaRecipes
Had to set the folder contexts to public_content_rw_t
and do
setsebool -P allow_smbd_anon_write=1
Now I can write via Samba and FTP (and it will be easy to support other domains later)
Matt
Updated on September 18, 2022Comments
-
Matt over 1 year
This should be easy enough I think, but I'm new to SELinux. I have a CentOS 6 file server. I have some LVM file systems at /var/media and I want to use both Samba and FTP to share them with a Windows machine. I am using ACLs so that permissions work nicely in Windows (I have a two user network). I've found that Samba, though working, is slow for file transfers, so I wanted to try FTP.
I'd like to keep using SELinux to keep things secure, but I'm running into trouble with accessing the files over FTP. I can read the files and write to my home directory. But I cannot write to files in /var/media (with the samba_share_t context).
I thought that
allow_ftpd_use_cifs
was supposed to handle that. I can get it to work withallow_ftpd_full_access
, but I'd prefer to avoid this. What am I missing?Here is the relevant info:
[mdurak@srv ~]$ ls -Z /var/media drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 docs drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 library drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 photos drwxrwxr-x+ mdurak admins system_u:object_r:samba_share_t:s0 projects [mdurak@srv ~]$ sudo semanage boolean -l | grep ftp ftp_home_dir (on , on) Allow ftp to read and write files in the user home directories tftp_anon_write (off , off) Allow tftp to modify public files used for public file transfer services. allow_ftpd_full_access (off , off) Allow ftp servers to login to local users and read/write all files on the system, governed by DAC. allow_ftpd_use_cifs (on , on) Allow ftp servers to use cifs used for public file transfer services. allow_ftpd_use_nfs (off , off) Allow ftp servers to use nfs used for public file transfer services. allow_ftpd_anon_write (on , on) Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t. ftpd_use_passive_mode (off , off) Allow ftp servers to use bind to all unreserved ports for passive mode ftpd_connect_db (off , off) Allow ftp servers to use connect to mysql database httpd_enable_ftp_server (off , off) Allow httpd to act as a FTP server by listening on the ftp port. [mdurak@srv ~]$ sudo semanage boolean -l | grep samba samba_domain_controller (off , off) Allow samba to act as the domain controller, add users, groups and change passwords. samba_portmapper (off , off) Allow samba to act as a portmapper samba_enable_home_dirs (on , on) Allow samba to share users home directories. samba_export_all_ro (off , off) Allow samba to share any file/directory read only. samba_export_all_rw (off , off) Allow samba to share any file/directory read/write. use_samba_home_dirs (off , off) Support SAMBA home directories samba_create_home_dirs (off , off) Allow samba to create new home directories (e.g. via PAM) cdrecord_read_content (off , off) Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files allow_smbd_anon_write (off , off) Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t. samba_share_fusefs (off , off) Allow samba to export ntfs/fusefs volumes. samba_share_nfs (off , off) Allow samba to export NFS volumes. samba_run_unconfined (off , off) Allow samba to run unconfined scripts sanlock_use_samba (off , off) Allow sanlock to manage cifs files virt_us
e_samba (off , off) Allow virt to manage cifs files
/etc/vsftpd/vsftpd.conf
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES connect_from_port_20=YES xferlog_std_format=YES chroot_local_user=YES chroot_list_enable=YES # mdurak is in the chroot_list chroot_list_file=/etc/vsftpd/chroot_list listen=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES pasv_enable=YES local_root=/var/media
Attempt in FTP to make the directory (there is also a denied message in the audit log so I know it's an SELinux problem).
Command: CWD /var/media/library/music Response: 250 Directory successfully changed. Command: MKD sdff Response: 550 Create directory operation failed. Command: MKD /var/media/library/music/sdff Response: 550 Create directory operation failed.