1ftpd_selinux(8) SELinux Policy ftpd ftpd_selinux(8)
2
3
4
6 ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7
9 Security-Enhanced Linux secures the ftpd processes via flexible manda‐
10 tory access control.
11
12 The ftpd processes execute with the ftpd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep ftpd_t
19
20
21
23 The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24
25 The default entrypoint paths for the ftpd_t domain are the following:
26
27 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
28 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
29 /etc/cron.monthly/proftpd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 ftpd policy is very flexible allowing users to setup their ftpd pro‐
39 cesses in as secure a method as possible.
40
41 The following process types are defined for ftpd:
42
43 ftpd_t, ftpdctl_t
44
45 Note: semanage permissive -a ftpd_t can be used to make the process
46 type ftpd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. ftpd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run ftpd with the tightest access possible.
55
56
57
58 If you want to determine whether ftpd can connect to all unreserved
59 ports, you must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60 abled by default.
61
62 setsebool -P ftpd_connect_all_unreserved 1
63
64
65
66 If you want to determine whether ftpd can connect to databases over the
67 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
68 default.
69
70 setsebool -P ftpd_connect_db 1
71
72
73
74 If you want to determine whether ftpd can login to local users and can
75 read and write all files on the system, governed by DAC, you must turn
76 on the ftpd_full_access boolean. Disabled by default.
77
78 setsebool -P ftpd_full_access 1
79
80
81
82 If you want to determine whether ftpd can use CIFS used for public file
83 transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84 by default.
85
86 setsebool -P ftpd_use_cifs 1
87
88
89
90 If you want to allow ftpd to use ntfs/fusefs volumes, you must turn on
91 the ftpd_use_fusefs boolean. Disabled by default.
92
93 setsebool -P ftpd_use_fusefs 1
94
95
96
97 If you want to determine whether ftpd can use NFS used for public file
98 transfer services, you must turn on the ftpd_use_nfs boolean. Disabled
99 by default.
100
101 setsebool -P ftpd_use_nfs 1
102
103
104
105 If you want to determine whether ftpd can bind to all unreserved ports
106 for passive mode, you must turn on the ftpd_use_passive_mode boolean.
107 Disabled by default.
108
109 setsebool -P ftpd_use_passive_mode 1
110
111
112
113 If you want to allow all domains to execute in fips_mode, you must turn
114 on the fips_mode boolean. Enabled by default.
115
116 setsebool -P fips_mode 1
117
118
119
120 If you want to allow confined applications to run with kerberos, you
121 must turn on the kerberos_enabled boolean. Disabled by default.
122
123 setsebool -P kerberos_enabled 1
124
125
126
127 If you want to allow system to run with NIS, you must turn on the
128 nis_enabled boolean. Disabled by default.
129
130 setsebool -P nis_enabled 1
131
132
133
134 If you want to support NFS home directories, you must turn on the
135 use_nfs_home_dirs boolean. Enabled by default.
136
137 setsebool -P use_nfs_home_dirs 1
138
139
140
141 If you want to support SAMBA home directories, you must turn on the
142 use_samba_home_dirs boolean. Disabled by default.
143
144 setsebool -P use_samba_home_dirs 1
145
146
147
149 SELinux defines port types to represent TCP and UDP ports.
150
151 You can see the types associated with a port by using the following
152 command:
153
154 semanage port -l
155
156
157 Policy governs the access confined processes have to these ports.
158 SELinux ftpd policy is very flexible allowing users to setup their ftpd
159 processes in as secure a method as possible.
160
161 The following port types are defined for ftpd:
162
163
164 ftp_data_port_t
165
166
167
168 Default Defined Ports:
169 tcp 20
170
171
172 ftp_port_t
173
174
175
176 Default Defined Ports:
177 tcp 21,989,990
178 udp 989,990
179
181 The SELinux process type ftpd_t can manage files labeled with the fol‐
182 lowing file types. The paths listed are the default paths for these
183 file types. Note the processes UID still need to have DAC permissions.
184
185 cifs_t
186
187
188 cluster_conf_t
189
190 /etc/cluster(/.*)?
191
192 cluster_var_lib_t
193
194 /var/lib/pcsd(/.*)?
195 /var/lib/cluster(/.*)?
196 /var/lib/openais(/.*)?
197 /var/lib/pengine(/.*)?
198 /var/lib/corosync(/.*)?
199 /usr/lib/heartbeat(/.*)?
200 /var/lib/heartbeat(/.*)?
201 /var/lib/pacemaker(/.*)?
202
203 cluster_var_run_t
204
205 /var/run/crm(/.*)?
206 /var/run/cman_.*
207 /var/run/rsctmp(/.*)?
208 /var/run/aisexec.*
209 /var/run/heartbeat(/.*)?
210 /var/run/corosync-qnetd(/.*)?
211 /var/run/corosync-qdevice(/.*)?
212 /var/run/corosync.pid
213 /var/run/cpglockd.pid
214 /var/run/rgmanager.pid
215 /var/run/cluster/rgmanager.sk
216
217 faillog_t
218
219 /var/log/btmp.*
220 /var/log/faillog.*
221 /var/log/tallylog.*
222 /var/run/faillock(/.*)?
223
224 ftpd_lock_t
225
226 /var/lock/subsys/*.ftpd
227
228 ftpd_tmpfs_t
229
230
231 ftpd_var_run_t
232
233 /var/run/proftpd.*
234
235 fusefs_t
236
237 /var/run/user/[^/]*/gvfs
238
239 httpd_user_content_t
240
241 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
242
243 initrc_var_run_t
244
245 /var/run/utmp
246 /var/run/random-seed
247 /var/run/runlevel.dir
248 /var/run/setmixer_flag
249
250 lastlog_t
251
252 /var/log/lastlog.*
253
254 nfs_t
255
256
257 non_security_file_type
258
259
260 root_t
261
262 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
263 /
264 /initrd
265
266 security_t
267
268 /selinux
269
270 user_home_t
271
272 /home/[^/]+/.+
273
274 var_auth_t
275
276 /var/ace(/.*)?
277 /var/rsa(/.*)?
278 /var/lib/abl(/.*)?
279 /var/lib/rsa(/.*)?
280 /var/lib/pam_ssh(/.*)?
281 /var/lib/pam_shield(/.*)?
282 /var/opt/quest/vas/vasd(/.*)?
283 /var/lib/google-authenticator(/.*)?
284
285 wtmp_t
286
287 /var/log/wtmp.*
288
289 xferlog_t
290
291 /var/log/vsftpd.*
292 /var/log/xferlog.*
293 /var/log/proftpd(/.*)?
294 /var/log/xferreport.*
295 /var/log/muddleftpd.log.*
296 /var/log/proftpd.log
297 /usr/libexec/webmin/vsftpd/webalizer/xfer_log
298
299
301 SELinux requires files to have an extended attribute to define the file
302 type.
303
304 You can see the context of a file using the -Z option to ls
305
306 Policy governs the access confined processes have to these files.
307 SELinux ftpd policy is very flexible allowing users to setup their ftpd
308 processes in as secure a method as possible.
309
310 STANDARD FILE CONTEXT
311
312 SELinux defines the file context types for the ftpd, if you wanted to
313 store files with these types in a diffent paths, you need to execute
314 the semanage command to sepecify alternate labeling and then use
315 restorecon to put the labels on disk.
316
317 semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
318 restorecon -R -v /srv/myftpd_content
319
320 Note: SELinux often uses regular expressions to specify labels that
321 match multiple files.
322
323 The following file types are defined for ftpd:
324
325
326
327 ftpd_etc_t
328
329 - Set files with the ftpd_etc_t type, if you want to store ftpd files
330 in the /etc directories.
331
332
333
334 ftpd_exec_t
335
336 - Set files with the ftpd_exec_t type, if you want to transition an
337 executable to the ftpd_t domain.
338
339
340 Paths:
341 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
342 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
343 /etc/cron.monthly/proftpd
344
345
346 ftpd_initrc_exec_t
347
348 - Set files with the ftpd_initrc_exec_t type, if you want to transition
349 an executable to the ftpd_initrc_t domain.
350
351
352 Paths:
353 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
354
355
356 ftpd_keytab_t
357
358 - Set files with the ftpd_keytab_t type, if you want to treat the files
359 as kerberos keytab files.
360
361
362
363 ftpd_lock_t
364
365 - Set files with the ftpd_lock_t type, if you want to treat the files
366 as ftpd lock data, stored under the /var/lock directory
367
368
369
370 ftpd_tmp_t
371
372 - Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
373 rary files in the /tmp directories.
374
375
376
377 ftpd_tmpfs_t
378
379 - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
380 on a tmpfs file system.
381
382
383
384 ftpd_unit_file_t
385
386 - Set files with the ftpd_unit_file_t type, if you want to treat the
387 files as ftpd unit content.
388
389
390
391 ftpd_var_run_t
392
393 - Set files with the ftpd_var_run_t type, if you want to store the ftpd
394 files under the /run or /var/run directory.
395
396
397
398 ftpdctl_exec_t
399
400 - Set files with the ftpdctl_exec_t type, if you want to transition an
401 executable to the ftpdctl_t domain.
402
403
404
405 ftpdctl_tmp_t
406
407 - Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl
408 temporary files in the /tmp directories.
409
410
411
412 Note: File context can be temporarily modified with the chcon command.
413 If you want to permanently change the file context you need to use the
414 semanage fcontext command. This will modify the SELinux labeling data‐
415 base. You will need to use restorecon to apply the labels.
416
417
419 If you want to share files with multiple domains (Apache, FTP, rsync,
420 Samba), you can set a file context of public_content_t and public_con‐
421 tent_rw_t. These context allow any of the above domains to read the
422 content. If you want a particular domain to write to the public_con‐
423 tent_rw_t domain, you must set the appropriate boolean.
424
425 Allow ftpd servers to read the /var/ftpd directory by adding the pub‐
426 lic_content_t file type to the directory and by restoring the file
427 type.
428
429 semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
430 restorecon -F -R -v /var/ftpd
431
432 Allow ftpd servers to read and write /var/ftpd/incoming by adding the
433 public_content_rw_t type to the directory and by restoring the file
434 type. You also need to turn on the ftpd_anon_write boolean.
435
436 semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
437 restorecon -F -R -v /var/ftpd/incoming
438 setsebool -P ftpd_anon_write 1
439
440
441 If you want to determine whether ftpd can modify public files used for
442 public file transfer services. Directories/Files must be labeled pub‐
443 lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
444
445 setsebool -P ftpd_anon_write 1
446
447
449 semanage fcontext can also be used to manipulate default file context
450 mappings.
451
452 semanage permissive can also be used to manipulate whether or not a
453 process type is permissive.
454
455 semanage module can also be used to enable/disable/install/remove pol‐
456 icy modules.
457
458 semanage port can also be used to manipulate the port definitions
459
460 semanage boolean can also be used to manipulate the booleans
461
462
463 system-config-selinux is a GUI tool available to customize SELinux pol‐
464 icy settings.
465
466
468 This manual page was auto-generated using sepolicy manpage .
469
470
472 selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
473 setsebool(8)
474
475
476
477ftpd 20-05-05 ftpd_selinux(8)