Home > fedora, red hat > SELinux, vsftpd and you

SELinux, vsftpd and you

Setting up some new RHEL 6 servers I came across the odd need of enabling ftp access to /tftpboot on those machines came up. SELinux didn’t really like that idea and denied access, which by default is a very good idea. Diabling SELinux is of course no option at all.

It is pretty well known and documented that setsebool -P ftp_home_dir=1 allows access to system users’ home directories. But what about other directories outside of /home? audit2allow to the rescue!

# audit2allow -a
============== ftpd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'

allow ftpd_t tftpdir_rw_t:dir { write remove_name add_name };
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'

allow ftpd_t tftpdir_rw_t:file { write create unlink append };

Basically this little known, but invaluable helper goes through your audit.log and tells you what can be done to avoid those denies; in this case

setsebool -P allow_ftpd_full_access=1

therefore allows vsftpd to write to any system directory the currently logged in user can get access to.

Advertisements
Categories: fedora, red hat Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: