1ftpd_selinux(8)               SELinux Policy ftpd              ftpd_selinux(8)
2
3
4

NAME

6       ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the ftpd processes via flexible manda‐
10       tory access control.
11
12       The ftpd processes execute with the ftpd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ftpd_t
19
20
21

ENTRYPOINTS

23       The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24
25       The default entrypoint paths for the ftpd_t domain are the following:
26
27       /usr/sbin/ftpwho,         /usr/sbin/vsftpd,          /usr/sbin/in.ftpd,
28       /usr/sbin/proftpd,    /usr/sbin/muddleftpd,    /usr/kerberos/sbin/ftpd,
29       /etc/cron.monthly/proftpd
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       ftpd policy is very flexible allowing users to setup  their  ftpd  pro‐
39       cesses in as secure a method as possible.
40
41       The following process types are defined for ftpd:
42
43       ftpd_t, ftpdctl_t
44
45       Note:  semanage  permissive  -a  ftpd_t can be used to make the process
46       type ftpd_t permissive. SELinux does  not  deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least  access  required.   ftpd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run ftpd with the tightest access possible.
55
56
57
58       If you want to determine whether ftpd can  connect  to  all  unreserved
59       ports,  you  must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60       abled by default.
61
62       setsebool -P ftpd_connect_all_unreserved 1
63
64
65
66       If you want to determine whether ftpd can connect to databases over the
67       TCP  network, you must turn on the ftpd_connect_db boolean. Disabled by
68       default.
69
70       setsebool -P ftpd_connect_db 1
71
72
73
74       If you want to determine whether ftpd can login to local users and  can
75       read  and write all files on the system, governed by DAC, you must turn
76       on the ftpd_full_access boolean. Disabled by default.
77
78       setsebool -P ftpd_full_access 1
79
80
81
82       If you want to determine whether ftpd can use CIFS used for public file
83       transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84       by default.
85
86       setsebool -P ftpd_use_cifs 1
87
88
89
90       If you want to allow ftpd to use ntfs/fusefs volumes, you must turn  on
91       the ftpd_use_fusefs boolean. Disabled by default.
92
93       setsebool -P ftpd_use_fusefs 1
94
95
96
97       If  you want to determine whether ftpd can use NFS used for public file
98       transfer services, you must turn on the ftpd_use_nfs boolean.  Disabled
99       by default.
100
101       setsebool -P ftpd_use_nfs 1
102
103
104
105       If  you want to determine whether ftpd can bind to all unreserved ports
106       for passive mode, you must turn on the  ftpd_use_passive_mode  boolean.
107       Disabled by default.
108
109       setsebool -P ftpd_use_passive_mode 1
110
111
112
113       If you want to allow all domains to execute in fips_mode, you must turn
114       on the fips_mode boolean. Enabled by default.
115
116       setsebool -P fips_mode 1
117
118
119
120       If you want to allow confined applications to run  with  kerberos,  you
121       must turn on the kerberos_enabled boolean. Disabled by default.
122
123       setsebool -P kerberos_enabled 1
124
125
126
127       If  you  want  to  allow  system  to run with NIS, you must turn on the
128       nis_enabled boolean. Disabled by default.
129
130       setsebool -P nis_enabled 1
131
132
133
134       If you want to support NFS home  directories,  you  must  turn  on  the
135       use_nfs_home_dirs boolean. Enabled by default.
136
137       setsebool -P use_nfs_home_dirs 1
138
139
140
141       If  you  want  to  support SAMBA home directories, you must turn on the
142       use_samba_home_dirs boolean. Disabled by default.
143
144       setsebool -P use_samba_home_dirs 1
145
146
147

PORT TYPES

149       SELinux defines port types to represent TCP and UDP ports.
150
151       You can see the types associated with a port  by  using  the  following
152       command:
153
154       semanage port -l
155
156
157       Policy  governs  the  access  confined  processes  have to these ports.
158       SELinux ftpd policy is very flexible allowing users to setup their ftpd
159       processes in as secure a method as possible.
160
161       The following port types are defined for ftpd:
162
163
164       ftp_data_port_t
165
166
167
168       Default Defined Ports:
169                 tcp 20
170
171
172       ftp_port_t
173
174
175
176       Default Defined Ports:
177                 tcp 21,989,990
178                 udp 989,990
179

MANAGED FILES

181       The  SELinux process type ftpd_t can manage files labeled with the fol‐
182       lowing file types.  The paths listed are the default  paths  for  these
183       file types.  Note the processes UID still need to have DAC permissions.
184
185       cifs_t
186
187
188       cluster_conf_t
189
190            /etc/cluster(/.*)?
191
192       cluster_var_lib_t
193
194            /var/lib/pcsd(/.*)?
195            /var/lib/cluster(/.*)?
196            /var/lib/openais(/.*)?
197            /var/lib/pengine(/.*)?
198            /var/lib/corosync(/.*)?
199            /usr/lib/heartbeat(/.*)?
200            /var/lib/heartbeat(/.*)?
201            /var/lib/pacemaker(/.*)?
202
203       cluster_var_run_t
204
205            /var/run/crm(/.*)?
206            /var/run/cman_.*
207            /var/run/rsctmp(/.*)?
208            /var/run/aisexec.*
209            /var/run/heartbeat(/.*)?
210            /var/run/corosync-qnetd(/.*)?
211            /var/run/corosync-qdevice(/.*)?
212            /var/run/corosync.pid
213            /var/run/cpglockd.pid
214            /var/run/rgmanager.pid
215            /var/run/cluster/rgmanager.sk
216
217       faillog_t
218
219            /var/log/btmp.*
220            /var/log/faillog.*
221            /var/log/tallylog.*
222            /var/run/faillock(/.*)?
223
224       ftpd_lock_t
225
226            /var/lock/subsys/*.ftpd
227
228       ftpd_tmpfs_t
229
230
231       ftpd_var_run_t
232
233            /var/run/proftpd.*
234
235       fusefs_t
236
237            /var/run/user/[^/]*/gvfs
238
239       httpd_user_content_t
240
241            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
242
243       initrc_var_run_t
244
245            /var/run/utmp
246            /var/run/random-seed
247            /var/run/runlevel.dir
248            /var/run/setmixer_flag
249
250       lastlog_t
251
252            /var/log/lastlog.*
253
254       nfs_t
255
256
257       non_security_file_type
258
259
260       root_t
261
262            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
263            /
264            /initrd
265
266       security_t
267
268            /selinux
269
270       user_home_t
271
272            /home/[^/]+/.+
273
274       var_auth_t
275
276            /var/ace(/.*)?
277            /var/rsa(/.*)?
278            /var/lib/abl(/.*)?
279            /var/lib/rsa(/.*)?
280            /var/lib/pam_ssh(/.*)?
281            /var/lib/pam_shield(/.*)?
282            /var/opt/quest/vas/vasd(/.*)?
283            /var/lib/google-authenticator(/.*)?
284
285       wtmp_t
286
287            /var/log/wtmp.*
288
289       xferlog_t
290
291            /var/log/vsftpd.*
292            /var/log/xferlog.*
293            /var/log/proftpd(/.*)?
294            /var/log/xferreport.*
295            /var/log/muddleftpd.log.*
296            /var/log/proftpd.log
297            /usr/libexec/webmin/vsftpd/webalizer/xfer_log
298
299

FILE CONTEXTS

301       SELinux requires files to have an extended attribute to define the file
302       type.
303
304       You can see the context of a file using the -Z option to ls
305
306       Policy governs the access  confined  processes  have  to  these  files.
307       SELinux ftpd policy is very flexible allowing users to setup their ftpd
308       processes in as secure a method as possible.
309
310       STANDARD FILE CONTEXT
311
312       SELinux defines the file context types for the ftpd, if you  wanted  to
313       store  files  with  these types in a diffent paths, you need to execute
314       the semanage command  to  sepecify  alternate  labeling  and  then  use
315       restorecon to put the labels on disk.
316
317       semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
318       restorecon -R -v /srv/myftpd_content
319
320       Note:  SELinux  often  uses  regular expressions to specify labels that
321       match multiple files.
322
323       The following file types are defined for ftpd:
324
325
326
327       ftpd_etc_t
328
329       - Set files with the ftpd_etc_t type, if you want to store  ftpd  files
330       in the /etc directories.
331
332
333
334       ftpd_exec_t
335
336       -  Set  files  with  the ftpd_exec_t type, if you want to transition an
337       executable to the ftpd_t domain.
338
339
340       Paths:
341            /usr/sbin/ftpwho,       /usr/sbin/vsftpd,       /usr/sbin/in.ftpd,
342            /usr/sbin/proftpd,  /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
343            /etc/cron.monthly/proftpd
344
345
346       ftpd_initrc_exec_t
347
348       - Set files with the ftpd_initrc_exec_t type, if you want to transition
349       an executable to the ftpd_initrc_t domain.
350
351
352       Paths:
353            /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
354
355
356       ftpd_keytab_t
357
358       - Set files with the ftpd_keytab_t type, if you want to treat the files
359       as kerberos keytab files.
360
361
362
363       ftpd_lock_t
364
365       - Set files with the ftpd_lock_t type, if you want to treat  the  files
366       as ftpd lock data, stored under the /var/lock directory
367
368
369
370       ftpd_tmp_t
371
372       -  Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
373       rary files in the /tmp directories.
374
375
376
377       ftpd_tmpfs_t
378
379       - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
380       on a tmpfs file system.
381
382
383
384       ftpd_unit_file_t
385
386       -  Set  files  with the ftpd_unit_file_t type, if you want to treat the
387       files as ftpd unit content.
388
389
390
391       ftpd_var_run_t
392
393       - Set files with the ftpd_var_run_t type, if you want to store the ftpd
394       files under the /run or /var/run directory.
395
396
397
398       ftpdctl_exec_t
399
400       -  Set files with the ftpdctl_exec_t type, if you want to transition an
401       executable to the ftpdctl_t domain.
402
403
404
405       ftpdctl_tmp_t
406
407       - Set files with the ftpdctl_tmp_t type, if you want to  store  ftpdctl
408       temporary files in the /tmp directories.
409
410
411
412       Note:  File context can be temporarily modified with the chcon command.
413       If you want to permanently change the file context you need to use  the
414       semanage fcontext command.  This will modify the SELinux labeling data‐
415       base.  You will need to use restorecon to apply the labels.
416
417

SHARING FILES

419       If you want to share files with multiple domains (Apache,  FTP,  rsync,
420       Samba),  you can set a file context of public_content_t and public_con‐
421       tent_rw_t.  These context allow any of the above domains  to  read  the
422       content.   If  you want a particular domain to write to the public_con‐
423       tent_rw_t domain, you must set the appropriate boolean.
424
425       Allow ftpd servers to read the /var/ftpd directory by adding  the  pub‐
426       lic_content_t  file  type  to  the  directory and by restoring the file
427       type.
428
429       semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
430       restorecon -F -R -v /var/ftpd
431
432       Allow ftpd servers to read and write /var/ftpd/incoming by  adding  the
433       public_content_rw_t  type  to  the  directory and by restoring the file
434       type.  You also need to turn on the ftpd_anon_write boolean.
435
436       semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
437       restorecon -F -R -v /var/ftpd/incoming
438       setsebool -P ftpd_anon_write 1
439
440
441       If you want to determine whether ftpd can modify public files used  for
442       public  file  transfer services. Directories/Files must be labeled pub‐
443       lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
444
445       setsebool -P ftpd_anon_write 1
446
447

COMMANDS

449       semanage fcontext can also be used to manipulate default  file  context
450       mappings.
451
452       semanage  permissive  can  also  be used to manipulate whether or not a
453       process type is permissive.
454
455       semanage module can also be used to enable/disable/install/remove  pol‐
456       icy modules.
457
458       semanage port can also be used to manipulate the port definitions
459
460       semanage boolean can also be used to manipulate the booleans
461
462
463       system-config-selinux is a GUI tool available to customize SELinux pol‐
464       icy settings.
465
466

AUTHOR

468       This manual page was auto-generated using sepolicy manpage .
469
470

SEE ALSO

472       selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
473       setsebool(8)
474
475
476
477ftpd                               21-03-26                    ftpd_selinux(8)
Impressum