Selinux FTP Access Setup

If SELinux is set to Permissive or Disabled, it will not block access to the vsftpd service in any way. However, if SELinux is in Enforcing mode, there are a few SELinux issues that could cause your vsftpd server to not behave as you would like. Use the following code to check the state of SELinux on your system:

# getenforce
# grep ^SELINUX= /etc/sysconfig/selinux

The getenforce command shows how SELinux is currently set (here, it’s in Enforcing mode). The SELINUX= variable in /etc/sysconfig/selinux shows how SELinux is set when the system comes up. If it is in Enforcing mode, as it is here, check the ftpd_selinux man page for information about SELinux settings that can impact the operation of your vsftpd service.

Here are some examples of file contexts that must be set for SELinux to allow files and directories to be accessed by vsftpd:

– To share content so it can be downloaded to FTP clients, that content must be marked with a public_content_t file context. Files created in the /var/ftp
directory or its subdirectories inherit public_content_t file context automatically. (Be sure to create new content or copy existing content to the /var/ftp directories. Moving the files there may not change the file context properly.)

– To allow files to be uploaded by anonymous users, the file context on the directory you upload to must be set to public_content_rw_t. (Other permissions,
SELinux Booleans, and vsftpd.conf settings must be in place for this to work as well.) If you have files in the /var/ftp directory structure that have the wrong file contexts (which can happen if you move files there from other directories instead of copying them), you can change or restore the file context on those files so they can be shared.

For example, to recursively change the file context of the /var/ftp/pub/stuff directory so the content can be readable from the FTP server through SELinux, type the following:

# semanage fcontext -a -t public_content_t "/var/ftp/pub/stuff(/.*)?"
# restorecon -F -R -v /var/ftp/pub/stuff

If you wanted to allow users to also write to a directory as well as read from it, you would need to assign the public_content_rw_t fi le context to the directory to which you want to allow uploads. This example tells SELinux to allow uploading of files to the /var/ftp/pub/uploads directory:

# semanage fcontext -a -t public_content_rw_t "/var/ftp/pub/uploads(/.*)?"
# restorecon -F -R -v /var/ftp/pub/uploads

FTP server features that are considered insecure by SELinux have Booleans that let you allow or disallow those features. Here are some examples:

– To allow regular users to be able to authenticate and read and write files and directories via the FTP server, the Boolean ftp_home_dir must be on. This is
one of the most common FTP Booleans to turn on (it is off by default). To turn it on permanently, type this:

# setsebool -P ftp_home_dir on

– For SELinux to allow anonymous users to read and write files and directories, you need to turn on the allow_ftpd_anon_write Boolean:

# setsebool -P allow_ftpd_anon_write on

– To be able to mount remote NFS or CIFS (Windows) shared filesystems and share them from your vsftpd server, you need to turn on the following two Booleans,

# setsebool -P allow_ftpd_use_nfs on
# setsebool -P allow_ftpd_use_cifs on

If you ever fi nd that you cannot access files or directories from your FTP server that you believe should be accessible, try turning off SELinux temporarily:

# setenforce 0

If you can access the files or directories with SELinux now in Permissive mode, put the system back in Enforcing mode (setenforce 1). Now, you know you have to go back through your SELinux settings and find out what is preventing the selinux ftp access.

You can check more on SELinux from CENTOS Documents.

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply