1ftpd_selinux(8) SELinux Policy ftpd ftpd_selinux(8)
2
3
4
6 ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7
9 Security-Enhanced Linux secures the ftpd processes via flexible manda‐
10 tory access control.
11
12 The ftpd processes execute with the ftpd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep ftpd_t
19
20
21
23 The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24
25 The default entrypoint paths for the ftpd_t domain are the following:
26
27 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
28 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
29 /etc/cron.monthly/proftpd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 ftpd policy is very flexible allowing users to setup their ftpd pro‐
39 cesses in as secure a method as possible.
40
41 The following process types are defined for ftpd:
42
43 ftpd_t, ftpdctl_t
44
45 Note: semanage permissive -a ftpd_t can be used to make the process
46 type ftpd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. ftpd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run ftpd with the tightest access possible.
55
56
57
58 If you want to determine whether ftpd can connect to all unreserved
59 ports, you must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60 abled by default.
61
62 setsebool -P ftpd_connect_all_unreserved 1
63
64
65
66 If you want to determine whether ftpd can connect to databases over the
67 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
68 default.
69
70 setsebool -P ftpd_connect_db 1
71
72
73
74 If you want to determine whether ftpd can login to local users and can
75 read and write all files on the system, governed by DAC, you must turn
76 on the ftpd_full_access boolean. Disabled by default.
77
78 setsebool -P ftpd_full_access 1
79
80
81
82 If you want to determine whether ftpd can use CIFS used for public file
83 transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84 by default.
85
86 setsebool -P ftpd_use_cifs 1
87
88
89
90 If you want to allow ftpd to use ntfs/fusefs volumes, you must turn on
91 the ftpd_use_fusefs boolean. Disabled by default.
92
93 setsebool -P ftpd_use_fusefs 1
94
95
96
97 If you want to determine whether ftpd can use NFS used for public file
98 transfer services, you must turn on the ftpd_use_nfs boolean. Disabled
99 by default.
100
101 setsebool -P ftpd_use_nfs 1
102
103
104
105 If you want to determine whether ftpd can bind to all unreserved ports
106 for passive mode, you must turn on the ftpd_use_passive_mode boolean.
107 Disabled by default.
108
109 setsebool -P ftpd_use_passive_mode 1
110
111
112
113 If you want to allow users to resolve user passwd entries directly from
114 ldap rather then using a sssd server, you must turn on the authlo‐
115 gin_nsswitch_use_ldap boolean. Disabled by default.
116
117 setsebool -P authlogin_nsswitch_use_ldap 1
118
119
120
121 If you want to allow all domains to execute in fips_mode, you must turn
122 on the fips_mode boolean. Enabled by default.
123
124 setsebool -P fips_mode 1
125
126
127
128 If you want to allow confined applications to run with kerberos, you
129 must turn on the kerberos_enabled boolean. Enabled by default.
130
131 setsebool -P kerberos_enabled 1
132
133
134
135 If you want to allow system to run with NIS, you must turn on the
136 nis_enabled boolean. Disabled by default.
137
138 setsebool -P nis_enabled 1
139
140
141
142 If you want to allow confined applications to use nscd shared memory,
143 you must turn on the nscd_use_shm boolean. Disabled by default.
144
145 setsebool -P nscd_use_shm 1
146
147
148
149 If you want to support NFS home directories, you must turn on the
150 use_nfs_home_dirs boolean. Disabled by default.
151
152 setsebool -P use_nfs_home_dirs 1
153
154
155
156 If you want to support SAMBA home directories, you must turn on the
157 use_samba_home_dirs boolean. Disabled by default.
158
159 setsebool -P use_samba_home_dirs 1
160
161
162
164 SELinux defines port types to represent TCP and UDP ports.
165
166 You can see the types associated with a port by using the following
167 command:
168
169 semanage port -l
170
171
172 Policy governs the access confined processes have to these ports.
173 SELinux ftpd policy is very flexible allowing users to setup their ftpd
174 processes in as secure a method as possible.
175
176 The following port types are defined for ftpd:
177
178
179 ftp_data_port_t
180
181
182
183 Default Defined Ports:
184 tcp 20
185
186
187 ftp_port_t
188
189
190
191 Default Defined Ports:
192 tcp 21,989,990
193 udp 989,990
194
196 The SELinux process type ftpd_t can manage files labeled with the fol‐
197 lowing file types. The paths listed are the default paths for these
198 file types. Note the processes UID still need to have DAC permissions.
199
200 cifs_t
201
202
203 cluster_conf_t
204
205 /etc/cluster(/.*)?
206
207 cluster_var_lib_t
208
209 /var/lib/pcsd(/.*)?
210 /var/lib/cluster(/.*)?
211 /var/lib/openais(/.*)?
212 /var/lib/pengine(/.*)?
213 /var/lib/corosync(/.*)?
214 /usr/lib/heartbeat(/.*)?
215 /var/lib/heartbeat(/.*)?
216 /var/lib/pacemaker(/.*)?
217
218 cluster_var_run_t
219
220 /var/run/crm(/.*)?
221 /var/run/cman_.*
222 /var/run/rsctmp(/.*)?
223 /var/run/aisexec.*
224 /var/run/heartbeat(/.*)?
225 /var/run/corosync-qnetd(/.*)?
226 /var/run/corosync-qdevice(/.*)?
227 /var/run/corosync.pid
228 /var/run/cpglockd.pid
229 /var/run/rgmanager.pid
230 /var/run/cluster/rgmanager.sk
231
232 faillog_t
233
234 /var/log/btmp.*
235 /var/log/faillog.*
236 /var/log/tallylog.*
237 /var/run/faillock(/.*)?
238
239 ftpd_lock_t
240
241 /var/lock/subsys/*.ftpd
242
243 ftpd_tmp_t
244
245
246 ftpd_tmpfs_t
247
248
249 ftpd_var_run_t
250
251 /var/run/proftpd.*
252
253 fusefs_t
254
255 /var/run/user/[^/]*/gvfs
256
257 httpd_user_content_t
258
259 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
260
261 initrc_var_run_t
262
263 /var/run/utmp
264 /var/run/random-seed
265 /var/run/runlevel.dir
266 /var/run/setmixer_flag
267
268 krb5_host_rcache_t
269
270 /var/cache/krb5rcache(/.*)?
271 /var/tmp/nfs_0
272 /var/tmp/DNS_25
273 /var/tmp/host_0
274 /var/tmp/imap_0
275 /var/tmp/HTTP_23
276 /var/tmp/HTTP_48
277 /var/tmp/ldap_55
278 /var/tmp/ldap_487
279 /var/tmp/ldapmap1_0
280
281 lastlog_t
282
283 /var/log/lastlog.*
284
285 nfs_t
286
287
288 non_security_file_type
289
290
291 public_content_rw_t
292
293 /var/spool/abrt-upload(/.*)?
294
295 root_t
296
297 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
298 /
299 /initrd
300
301 security_t
302
303 /selinux
304
305 user_home_t
306
307 /home/[^/]+/.+
308
309 user_tmp_t
310
311 /dev/shm/mono.*
312 /var/run/user(/.*)?
313 /tmp/.ICE-unix(/.*)?
314 /tmp/.X11-unix(/.*)?
315 /dev/shm/pulse-shm.*
316 /tmp/.X0-lock
317 /tmp/hsperfdata_root
318 /var/tmp/hsperfdata_root
319 /home/[^/]+/tmp
320 /home/[^/]+/.tmp
321 /tmp/gconfd-[^/]+
322
323 var_auth_t
324
325 /var/ace(/.*)?
326 /var/rsa(/.*)?
327 /var/lib/abl(/.*)?
328 /var/lib/rsa(/.*)?
329 /var/lib/pam_ssh(/.*)?
330 /var/run/pam_ssh(/.*)?
331 /var/lib/pam_shield(/.*)?
332 /var/opt/quest/vas/vasd(/.*)?
333 /var/lib/google-authenticator(/.*)?
334
335 wtmp_t
336
337 /var/log/wtmp.*
338
339 xferlog_t
340
341 /var/log/vsftpd.*
342 /var/log/xferlog.*
343 /var/log/proftpd(/.*)?
344 /var/log/xferreport.*
345 /var/log/muddleftpd.log.*
346 /var/log/proftpd.log
347 /usr/libexec/webmin/vsftpd/webalizer/xfer_log
348
349
351 SELinux requires files to have an extended attribute to define the file
352 type.
353
354 You can see the context of a file using the -Z option to ls
355
356 Policy governs the access confined processes have to these files.
357 SELinux ftpd policy is very flexible allowing users to setup their ftpd
358 processes in as secure a method as possible.
359
360 STANDARD FILE CONTEXT
361
362 SELinux defines the file context types for the ftpd, if you wanted to
363 store files with these types in a diffent paths, you need to execute
364 the semanage command to sepecify alternate labeling and then use
365 restorecon to put the labels on disk.
366
367 semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
368 restorecon -R -v /srv/myftpd_content
369
370 Note: SELinux often uses regular expressions to specify labels that
371 match multiple files.
372
373 The following file types are defined for ftpd:
374
375
376
377 ftpd_etc_t
378
379 - Set files with the ftpd_etc_t type, if you want to store ftpd files
380 in the /etc directories.
381
382
383
384 ftpd_exec_t
385
386 - Set files with the ftpd_exec_t type, if you want to transition an
387 executable to the ftpd_t domain.
388
389
390 Paths:
391 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
392 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
393 /etc/cron.monthly/proftpd
394
395
396 ftpd_initrc_exec_t
397
398 - Set files with the ftpd_initrc_exec_t type, if you want to transition
399 an executable to the ftpd_initrc_t domain.
400
401
402 Paths:
403 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
404
405
406 ftpd_keytab_t
407
408 - Set files with the ftpd_keytab_t type, if you want to treat the files
409 as kerberos keytab files.
410
411
412
413 ftpd_lock_t
414
415 - Set files with the ftpd_lock_t type, if you want to treat the files
416 as ftpd lock data, stored under the /var/lock directory
417
418
419
420 ftpd_tmp_t
421
422 - Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
423 rary files in the /tmp directories.
424
425
426
427 ftpd_tmpfs_t
428
429 - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
430 on a tmpfs file system.
431
432
433
434 ftpd_unit_file_t
435
436 - Set files with the ftpd_unit_file_t type, if you want to treat the
437 files as ftpd unit content.
438
439
440
441 ftpd_var_run_t
442
443 - Set files with the ftpd_var_run_t type, if you want to store the ftpd
444 files under the /run or /var/run directory.
445
446
447
448 ftpdctl_exec_t
449
450 - Set files with the ftpdctl_exec_t type, if you want to transition an
451 executable to the ftpdctl_t domain.
452
453
454
455 ftpdctl_tmp_t
456
457 - Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl
458 temporary files in the /tmp directories.
459
460
461
462 Note: File context can be temporarily modified with the chcon command.
463 If you want to permanently change the file context you need to use the
464 semanage fcontext command. This will modify the SELinux labeling data‐
465 base. You will need to use restorecon to apply the labels.
466
467
469 If you want to share files with multiple domains (Apache, FTP, rsync,
470 Samba), you can set a file context of public_content_t and public_con‐
471 tent_rw_t. These context allow any of the above domains to read the
472 content. If you want a particular domain to write to the public_con‐
473 tent_rw_t domain, you must set the appropriate boolean.
474
475 Allow ftpd servers to read the /var/ftpd directory by adding the pub‐
476 lic_content_t file type to the directory and by restoring the file
477 type.
478
479 semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
480 restorecon -F -R -v /var/ftpd
481
482 Allow ftpd servers to read and write /var/ftpd/incoming by adding the
483 public_content_rw_t type to the directory and by restoring the file
484 type. You also need to turn on the ftpd_anon_write boolean.
485
486 semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
487 restorecon -F -R -v /var/ftpd/incoming
488 setsebool -P ftpd_anon_write 1
489
490
491 If you want to determine whether ftpd can modify public files used for
492 public file transfer services. Directories/Files must be labeled pub‐
493 lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
494
495 setsebool -P ftpd_anon_write 1
496
497
499 semanage fcontext can also be used to manipulate default file context
500 mappings.
501
502 semanage permissive can also be used to manipulate whether or not a
503 process type is permissive.
504
505 semanage module can also be used to enable/disable/install/remove pol‐
506 icy modules.
507
508 semanage port can also be used to manipulate the port definitions
509
510 semanage boolean can also be used to manipulate the booleans
511
512
513 system-config-selinux is a GUI tool available to customize SELinux pol‐
514 icy settings.
515
516
518 This manual page was auto-generated using sepolicy manpage .
519
520
522 selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
523 setsebool(8)
524
525
526
527ftpd 19-05-30 ftpd_selinux(8)