1ftpd_selinux(8) SELinux Policy ftpd ftpd_selinux(8)
2
6 ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7
9 Security-Enhanced Linux secures the ftpd processes via flexible manda‐
10 tory access control.
11 The ftpd processes execute with the ftpd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep ftpd_t
19
23 The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24 The default entrypoint paths for the ftpd_t domain are the following:
26 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
28 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
29 /etc/cron.monthly/proftpd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 ftpd policy is very flexible allowing users to setup their ftpd pro‐
39 cesses in as secure a method as possible.
40 The following process types are defined for ftpd:
42 ftpd_t, ftpdctl_t
44 Note: semanage permissive -a ftpd_t can be used to make the process
46 type ftpd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. ftpd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run ftpd with the tightest access possible.
55 If you want to determine whether ftpd can connect to all unreserved
59 ports, you must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60 abled by default.
61 setsebool -P ftpd_connect_all_unreserved 1
63 If you want to determine whether ftpd can connect to databases over the
67 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
68 default.
69 setsebool -P ftpd_connect_db 1
71 If you want to determine whether ftpd can login to local users and can
75 read and write all files on the system, governed by DAC, you must turn
76 on the ftpd_full_access boolean. Disabled by default.
77 setsebool -P ftpd_full_access 1
79 If you want to determine whether ftpd can use CIFS used for public file
83 transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84 by default.
85 setsebool -P ftpd_use_cifs 1
87 If you want to allow ftpd to use ntfs/fusefs volumes, you must turn on
91 the ftpd_use_fusefs boolean. Disabled by default.
92 setsebool -P ftpd_use_fusefs 1
94 If you want to determine whether ftpd can use NFS used for public file
98 transfer services, you must turn on the ftpd_use_nfs boolean. Disabled
99 by default.
100 setsebool -P ftpd_use_nfs 1
102 If you want to determine whether ftpd can bind to all unreserved ports
106 for passive mode, you must turn on the ftpd_use_passive_mode boolean.
107 Disabled by default.
108 setsebool -P ftpd_use_passive_mode 1
110 If you want to allow users to resolve user passwd entries directly from
114 ldap rather then using a sssd server, you must turn on the authlo‐
115 gin_nsswitch_use_ldap boolean. Disabled by default.
116 setsebool -P authlogin_nsswitch_use_ldap 1
118 If you want to allow all domains to execute in fips_mode, you must turn
122 on the fips_mode boolean. Enabled by default.
123 setsebool -P fips_mode 1
125 If you want to allow confined applications to run with kerberos, you
129 must turn on the kerberos_enabled boolean. Enabled by default.
130 setsebool -P kerberos_enabled 1
132 If you want to allow system to run with NIS, you must turn on the
136 nis_enabled boolean. Disabled by default.
137 setsebool -P nis_enabled 1
139 If you want to allow confined applications to use nscd shared memory,
143 you must turn on the nscd_use_shm boolean. Disabled by default.
144 setsebool -P nscd_use_shm 1
146 If you want to support NFS home directories, you must turn on the
150 use_nfs_home_dirs boolean. Disabled by default.
151 setsebool -P use_nfs_home_dirs 1
153 If you want to support SAMBA home directories, you must turn on the
157 use_samba_home_dirs boolean. Disabled by default.
158 setsebool -P use_samba_home_dirs 1
160
164 SELinux defines port types to represent TCP and UDP ports.
165 You can see the types associated with a port by using the following
167 command:
168 semanage port -l
170 Policy governs the access confined processes have to these ports.
173 SELinux ftpd policy is very flexible allowing users to setup their ftpd
174 processes in as secure a method as possible.
175 The following port types are defined for ftpd:
177 ftp_data_port_t
180 Default Defined Ports:
184 tcp 20
185 ftp_port_t
188 Default Defined Ports:
192 tcp 21,989,990
193 udp 989,990
194
196 The SELinux process type ftpd_t can manage files labeled with the fol‐
197 lowing file types. The paths listed are the default paths for these
198 file types. Note the processes UID still need to have DAC permissions.
199 cifs_t
201 cluster_conf_t
204 /etc/cluster(/.*)?
206 cluster_var_lib_t
208 /var/lib/pcsd(/.*)?
210 /var/lib/cluster(/.*)?
211 /var/lib/openais(/.*)?
212 /var/lib/pengine(/.*)?
213 /var/lib/corosync(/.*)?
214 /usr/lib/heartbeat(/.*)?
215 /var/lib/heartbeat(/.*)?
216 /var/lib/pacemaker(/.*)?
217 cluster_var_run_t
219 /var/run/crm(/.*)?
221 /var/run/cman_.*
222 /var/run/rsctmp(/.*)?
223 /var/run/aisexec.*
224 /var/run/heartbeat(/.*)?
225 /var/run/corosync-qnetd(/.*)?
226 /var/run/corosync-qdevice(/.*)?
227 /var/run/corosync.pid
228 /var/run/cpglockd.pid
229 /var/run/rgmanager.pid
230 /var/run/cluster/rgmanager.sk
231 faillog_t
233 /var/log/btmp.*
235 /var/log/faillog.*
236 /var/log/tallylog.*
237 /var/run/faillock(/.*)?
238 ftpd_lock_t
240 /var/lock/subsys/*.ftpd
242 ftpd_tmp_t
244 ftpd_tmpfs_t
247 ftpd_var_run_t
250 /var/run/proftpd.*
252 fusefs_t
254 /var/run/user/[^/]*/gvfs
256 httpd_user_content_t
258 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
260 initrc_var_run_t
262 /var/run/utmp
264 /var/run/random-seed
265 /var/run/runlevel.dir
266 /var/run/setmixer_flag
267 krb5_host_rcache_t
269 /var/cache/krb5rcache(/.*)?
271 /var/tmp/nfs_0
272 /var/tmp/DNS_25
273 /var/tmp/host_0
274 /var/tmp/imap_0
275 /var/tmp/HTTP_23
276 /var/tmp/HTTP_48
277 /var/tmp/ldap_55
278 /var/tmp/ldap_487
279 /var/tmp/ldapmap1_0
280 lastlog_t
282 /var/log/lastlog.*
284 nfs_t
286 non_security_file_type
289 public_content_rw_t
292 /var/spool/abrt-upload(/.*)?
294 root_t
296 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
298 /
299 /initrd
300 security_t
302 /selinux
304 user_home_t
306 /home/[^/]+/.+
308 user_tmp_t
310 /dev/shm/mono.*
312 /var/run/user(/.*)?
313 /tmp/.ICE-unix(/.*)?
314 /tmp/.X11-unix(/.*)?
315 /dev/shm/pulse-shm.*
316 /tmp/.X0-lock
317 /tmp/hsperfdata_root
318 /var/tmp/hsperfdata_root
319 /home/[^/]+/tmp
320 /home/[^/]+/.tmp
321 /tmp/gconfd-[^/]+
322 var_auth_t
324 /var/ace(/.*)?
326 /var/rsa(/.*)?
327 /var/lib/abl(/.*)?
328 /var/lib/rsa(/.*)?
329 /var/lib/pam_ssh(/.*)?
330 /var/run/pam_ssh(/.*)?
331 /var/lib/pam_shield(/.*)?
332 /var/opt/quest/vas/vasd(/.*)?
333 /var/lib/google-authenticator(/.*)?
334 wtmp_t
336 /var/log/wtmp.*
338 xferlog_t
340 /var/log/vsftpd.*
342 /var/log/xferlog.*
343 /var/log/proftpd(/.*)?
344 /var/log/xferreport.*
345 /var/log/muddleftpd.log.*
346 /var/log/proftpd.log
347 /usr/libexec/webmin/vsftpd/webalizer/xfer_log
348
351 SELinux requires files to have an extended attribute to define the file
352 type.
353 You can see the context of a file using the -Z option to ls
355 Policy governs the access confined processes have to these files.
357 SELinux ftpd policy is very flexible allowing users to setup their ftpd
358 processes in as secure a method as possible.
359 STANDARD FILE CONTEXT
361 SELinux defines the file context types for the ftpd, if you wanted to
363 store files with these types in a diffent paths, you need to execute
364 the semanage command to sepecify alternate labeling and then use
365 restorecon to put the labels on disk.
366 semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
368 restorecon -R -v /srv/myftpd_content
369 Note: SELinux often uses regular expressions to specify labels that
371 match multiple files.
372 The following file types are defined for ftpd:
374 ftpd_etc_t
378 - Set files with the ftpd_etc_t type, if you want to store ftpd files
380 in the /etc directories.
381 ftpd_exec_t
385 - Set files with the ftpd_exec_t type, if you want to transition an
387 executable to the ftpd_t domain.
388 Paths:
391 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
392 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
393 /etc/cron.monthly/proftpd
394 ftpd_initrc_exec_t
397 - Set files with the ftpd_initrc_exec_t type, if you want to transition
399 an executable to the ftpd_initrc_t domain.
400 Paths:
403 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
404 ftpd_keytab_t
407 - Set files with the ftpd_keytab_t type, if you want to treat the files
409 as kerberos keytab files.
410 ftpd_lock_t
414 - Set files with the ftpd_lock_t type, if you want to treat the files
416 as ftpd lock data, stored under the /var/lock directory
417 ftpd_tmp_t
421 - Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
423 rary files in the /tmp directories.
424 ftpd_tmpfs_t
428 - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
430 on a tmpfs file system.
431 ftpd_unit_file_t
435 - Set files with the ftpd_unit_file_t type, if you want to treat the
437 files as ftpd unit content.
438 ftpd_var_run_t
442 - Set files with the ftpd_var_run_t type, if you want to store the ftpd
444 files under the /run or /var/run directory.
445 ftpdctl_exec_t
449 - Set files with the ftpdctl_exec_t type, if you want to transition an
451 executable to the ftpdctl_t domain.
452 ftpdctl_tmp_t
456 - Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl
458 temporary files in the /tmp directories.
459 Note: File context can be temporarily modified with the chcon command.
463 If you want to permanently change the file context you need to use the
464 semanage fcontext command. This will modify the SELinux labeling data‐
465 base. You will need to use restorecon to apply the labels.
466
469 If you want to share files with multiple domains (Apache, FTP, rsync,
470 Samba), you can set a file context of public_content_t and public_con‐
471 tent_rw_t. These context allow any of the above domains to read the
472 content. If you want a particular domain to write to the public_con‐
473 tent_rw_t domain, you must set the appropriate boolean.
474 Allow ftpd servers to read the /var/ftpd directory by adding the pub‐
476 lic_content_t file type to the directory and by restoring the file
477 type.
478 semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
480 restorecon -F -R -v /var/ftpd
481 Allow ftpd servers to read and write /var/ftpd/incoming by adding the
483 public_content_rw_t type to the directory and by restoring the file
484 type. You also need to turn on the ftpd_anon_write boolean.
485 semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
487 restorecon -F -R -v /var/ftpd/incoming
488 setsebool -P ftpd_anon_write 1
489 If you want to determine whether ftpd can modify public files used for
492 public file transfer services. Directories/Files must be labeled pub‐
493 lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
494 setsebool -P ftpd_anon_write 1
496
499 semanage fcontext can also be used to manipulate default file context
500 mappings.
501 semanage permissive can also be used to manipulate whether or not a
503 process type is permissive.
504 semanage module can also be used to enable/disable/install/remove pol‐
506 icy modules.
507 semanage port can also be used to manipulate the port definitions
509 semanage boolean can also be used to manipulate the booleans
511 system-config-selinux is a GUI tool available to customize SELinux pol‐
514 icy settings.
515
518 This manual page was auto-generated using sepolicy manpage .
519
522 selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
523 setsebool(8)
524ftpd 19-05-30 ftpd_selinux(8)