Archive for the ‘red hat’ Category

SELinux, vsftpd and you

Setting up some new RHEL 6 servers I came across the odd need of enabling ftp access to /tftpboot on those machines came up. SELinux didn’t really like that idea and denied access, which by default is a very good idea. Diabling SELinux is of course no option at all.

It is pretty well known and documented that setsebool -P ftp_home_dir=1 allows access to system users’ home directories. But what about other directories outside of /home? audit2allow to the rescue!

# audit2allow -a
============== ftpd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'

allow ftpd_t tftpdir_rw_t:dir { write remove_name add_name };
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'

allow ftpd_t tftpdir_rw_t:file { write create unlink append };

Basically this little known, but invaluable helper goes through your audit.log and tells you what can be done to avoid those denies; in this case

setsebool -P allow_ftpd_full_access=1

therefore allows vsftpd to write to any system directory the currently logged in user can get access to.

Categories: fedora, red hat Tags: , , , ,
%d bloggers like this: