SELinux/ftpd

From FedoraProject

< SELinux
Revision as of 16:36, 24 May 2008 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
ftpd_selinux(8)        ftpd Selinux Policy documentation       ftpd_selinux(8)

NAME
ftpd_selinux - Security Enhanced Linux Policy for the ftp daemon

DESCRIPTION
Security-Enhanced  Linux secures the ftpd server via flexible mandatory
access control.

FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file
type.   Policy  governs the access daemons have to these files.  If you
want to share files anonymously, you must label the files and  directo-
ries public_content_t.  So if you created a special directory /var/ftp,
you would need to label the directory with the chcon tool.

chcon -R -t public_content_t /var/ftp

If you want to setup a directory where you can upload files to you must
label  the  files  and directories ftpd_anon_rw_t.  So if you created a
special directory /var/ftp/incoming, you would need to label the direc-
tory with the chcon tool.

chcon -t public_content_rw_t /var/ftp/incoming

You must also turn on the boolean allow_ftpd_anon_write.

setsebool -P allow_ftpd_anon_write=1

If you want to make this permanant, i.e. survive a  relabel,  you  must
add an entry to the file_contexts.local file.

/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
/var/ftp(/.*)?                system_u:object_r:public_content_t
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t

BOOLEANS
SELinux  ftp  daemon  policy  is  customizable  based  on  least access
required.  So by default SElinux does not allow users to login and read
their home directories.
If  you  are setting up this machine as a ftpd server and wish to allow
users  to  access  their  home  directorories,  you  need  to  set  the
ftp_home_dir boolean.

setsebool -P ftp_home_dir 1

ftpd  can  run  either  as a standalone daemon or as part of the xinetd
domain.  If you want  to  run  ftpd  as  a  daemon  you  must  set  the
ftpd_is_daemon boolean.

setsebool -P ftpd_is_daemon 1

You can disable SELinux protection for the ftpd daemon by executing:

setsebool -P ftpd_disable_trans 1
service vsftpd restart

system-config-securitylevel  is  a  GUI  tool  available  to  customize
SELinux policy settings.

AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO
selinux(8), ftpd(8), chcon(1), setsebool(8)

dwalsh@redhat.com                 17 Jan 2005                  ftpd_selinux(8)