Chris PeBenito bf080a
.TH  "ftpd_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
Chris PeBenito bf080a
.SH "NAME"
Chris PeBenito bf080a
ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
Chris PeBenito bf080a
.SH "DESCRIPTION"
Chris PeBenito bf080a
Chris PeBenito bf080a
Security-Enhanced Linux secures the ftpd server via flexible mandatory access
Chris PeBenito bf080a
control.  
Chris PeBenito bf080a
.SH FILE_CONTEXTS
Chris PeBenito bf080a
SELinux requires files to have an extended attribute to define the file type. 
Chris PeBenito bf080a
Policy governs the access daemons have to these files. 
Chris PeBenito bf080a
If you want to share files anonymously, you must label the files and directories public_content_t.  So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
chcon -R -t public_content_t /var/ftp
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t.  So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
chcon -t public_content_rw_t /var/ftp/incoming
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
You must also turn on the boolean allow_ftp_anon_write.
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
setsebool -P allow_ftp_anon_write=1
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
Chris PeBenito bf080a
.br
Chris PeBenito bf080a
/var/ftp(/.*)? system_u:object_r:public_content_t
Chris PeBenito bf080a
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
Chris PeBenito bf080a
Chris PeBenito bf080a
.SH BOOLEANS
Chris PeBenito bf080a
SELinux ftp daemon policy is customizable based on least access required.  So by 
Chris PeBenito bf080a
default SElinux does not allow users to login and read their home directories.
Chris PeBenito bf080a
.br
Chris PeBenito bf080a
If you are setting up this machine as a ftpd server and wish to allow users to access their home
Chris PeBenito bf080a
directorories, you need to set the ftp_home_dir boolean. 
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
setsebool -P ftp_home_dir 1
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
ftpd can run either as a standalone daemon or as part of the xinetd domain.  If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
setsebool -P ftpd_is_daemon 1
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
You can disable SELinux protection for the ftpd daemon by executing:
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
setsebool -P ftpd_disable_trans 1
Chris PeBenito bf080a
.br
Chris PeBenito bf080a
service vsftpd restart
Chris PeBenito bf080a
.TP
Chris PeBenito bf080a
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
Chris PeBenito bf080a
.SH AUTHOR	
Chris PeBenito bf080a
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
Chris PeBenito bf080a
Chris PeBenito bf080a
.SH "SEE ALSO"
Chris PeBenito bf080a
selinux(8), ftpd(8), chcon(1), setsebool(8)
Chris PeBenito bf080a
Chris PeBenito bf080a