|
Chris PeBenito |
b4f23e |
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
|
|
Chris PeBenito |
bf080a |
.SH "NAME"
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
|
|
Chris PeBenito |
bf080a |
.SH "DESCRIPTION"
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
|
|
Chris PeBenito |
bf080a |
.SH FILE_CONTEXTS
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
b4f23e |
Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
restorecon -R -v /var/ftp
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
b4f23e |
Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
restorecon -R -v /var/ftp/incoming
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH BOOLEANS
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
b4f23e |
Allow ftp servers to read and write files with the public_content_rw_t file type.
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
setsebool -P allow_ftpd_anon_write on
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
b4f23e |
Allow ftp servers to read or write files in the user home directories.
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
setsebool -P ftp_home_dir on
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
b4f23e |
Allow ftp servers to read or write all files on the system.
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
setsebool -P allow_ftpd_full_access on
|
|
Chris PeBenito |
b4f23e |
.TP
|
|
Chris PeBenito |
b4f23e |
Allow ftp servers to use cifs for public file transfer services.
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
setsebool -P allow_ftpd_use_cifs on
|
|
Chris PeBenito |
b4f23e |
.TP
|
|
Chris PeBenito |
b4f23e |
Allow ftp servers to use nfs for public file transfer services.
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
b4f23e |
.B
|
|
Chris PeBenito |
b4f23e |
setsebool -P allow_ftpd_use_nfs on
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
f4e2b1 |
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
|
Chris PeBenito |
bf080a |
.SH AUTHOR
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
bf080a |
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH "SEE ALSO"
|
|
Chris PeBenito |
b4f23e |
.PP
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
b4f23e |
selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
|