|
Chris PeBenito |
bf080a |
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
|
|
Chris PeBenito |
bf080a |
.SH "NAME"
|
|
Chris PeBenito |
bf080a |
ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
|
|
Chris PeBenito |
bf080a |
.SH "DESCRIPTION"
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
Security-Enhanced Linux secures the ftpd server via flexible mandatory access
|
|
Chris PeBenito |
bf080a |
control.
|
|
Chris PeBenito |
bf080a |
.SH FILE_CONTEXTS
|
|
Chris PeBenito |
bf080a |
SELinux requires files to have an extended attribute to define the file type.
|
|
Chris PeBenito |
bf080a |
Policy governs the access daemons have to these files.
|
|
Chris PeBenito |
bf080a |
If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
chcon -R -t public_content_t /var/ftp
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
chcon -t public_content_rw_t /var/ftp/incoming
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
You must also turn on the boolean allow_ftp_anon_write.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
setsebool -P allow_ftp_anon_write=1
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
/var/ftp(/.*)? system_u:object_r:public_content_t
|
|
Chris PeBenito |
bf080a |
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH BOOLEANS
|
|
Chris PeBenito |
bf080a |
SELinux ftp daemon policy is customizable based on least access required. So by
|
|
Chris PeBenito |
bf080a |
default SElinux does not allow users to login and read their home directories.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
If you are setting up this machine as a ftpd server and wish to allow users to access their home
|
|
Chris PeBenito |
bf080a |
directorories, you need to set the ftp_home_dir boolean.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
setsebool -P ftp_home_dir 1
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
setsebool -P ftpd_is_daemon 1
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
You can disable SELinux protection for the ftpd daemon by executing:
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
setsebool -P ftpd_disable_trans 1
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
service vsftpd restart
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
|
Chris PeBenito |
bf080a |
.SH AUTHOR
|
|
Chris PeBenito |
bf080a |
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH "SEE ALSO"
|
|
Chris PeBenito |
bf080a |
selinux(8), ftpd(8), chcon(1), setsebool(8)
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
|