1ftpd_selinux(8)               SELinux Policy ftpd              ftpd_selinux(8)
2
3
4

NAME

6       ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the ftpd processes via flexible manda‐
10       tory access control.
11
12       The ftpd processes execute with the ftpd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ftpd_t
19
20
21

ENTRYPOINTS

23       The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24
25       The default entrypoint paths for the ftpd_t domain are the following:
26
27       /usr/sbin/ftpwho,         /usr/sbin/vsftpd,          /usr/sbin/in.ftpd,
28       /usr/sbin/proftpd,    /usr/sbin/muddleftpd,    /usr/kerberos/sbin/ftpd,
29       /etc/cron.monthly/proftpd
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       ftpd policy is very flexible allowing users to setup  their  ftpd  pro‐
39       cesses in as secure a method as possible.
40
41       The following process types are defined for ftpd:
42
43       ftpd_t, ftpdctl_t
44
45       Note:  semanage  permissive  -a  ftpd_t can be used to make the process
46       type ftpd_t permissive. SELinux does  not  deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least  access  required.   ftpd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run ftpd with the tightest access possible.
55
56
57
58       If you want to determine whether ftpd can  connect  to  all  unreserved
59       ports,  you  must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60       abled by default.
61
62       setsebool -P ftpd_connect_all_unreserved 1
63
64
65
66       If you want to determine whether ftpd can connect to databases over the
67       TCP  network, you must turn on the ftpd_connect_db boolean. Disabled by
68       default.
69
70       setsebool -P ftpd_connect_db 1
71
72
73
74       If you want to determine whether ftpd can login to local users and  can
75       read  and write all files on the system, governed by DAC, you must turn
76       on the ftpd_full_access boolean. Disabled by default.
77
78       setsebool -P ftpd_full_access 1
79
80
81
82       If you want to determine whether ftpd can use CIFS used for public file
83       transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84       by default.
85
86       setsebool -P ftpd_use_cifs 1
87
88
89
90       If you want to allow ftpd to use ntfs/fusefs volumes, you must turn  on
91       the ftpd_use_fusefs boolean. Disabled by default.
92
93       setsebool -P ftpd_use_fusefs 1
94
95
96
97       If  you want to determine whether ftpd can use NFS used for public file
98       transfer services, you must turn on the ftpd_use_nfs boolean.  Disabled
99       by default.
100
101       setsebool -P ftpd_use_nfs 1
102
103
104
105       If  you want to determine whether ftpd can bind to all unreserved ports
106       for passive mode, you must turn on the  ftpd_use_passive_mode  boolean.
107       Disabled by default.
108
109       setsebool -P ftpd_use_passive_mode 1
110
111
112
113       If you want to allow all domains to execute in fips_mode, you must turn
114       on the fips_mode boolean. Enabled by default.
115
116       setsebool -P fips_mode 1
117
118
119
120       If you want to allow confined applications to run  with  kerberos,  you
121       must turn on the kerberos_enabled boolean. Enabled by default.
122
123       setsebool -P kerberos_enabled 1
124
125
126
127       If  you  want  to  allow  system  to run with NIS, you must turn on the
128       nis_enabled boolean. Disabled by default.
129
130       setsebool -P nis_enabled 1
131
132
133
134       If you want to support NFS home  directories,  you  must  turn  on  the
135       use_nfs_home_dirs boolean. Disabled by default.
136
137       setsebool -P use_nfs_home_dirs 1
138
139
140
141       If  you  want  to  support SAMBA home directories, you must turn on the
142       use_samba_home_dirs boolean. Disabled by default.
143
144       setsebool -P use_samba_home_dirs 1
145
146
147

PORT TYPES

149       SELinux defines port types to represent TCP and UDP ports.
150
151       You can see the types associated with a port  by  using  the  following
152       command:
153
154       semanage port -l
155
156
157       Policy  governs  the  access  confined  processes  have to these ports.
158       SELinux ftpd policy is very flexible allowing users to setup their ftpd
159       processes in as secure a method as possible.
160
161       The following port types are defined for ftpd:
162
163
164       ftp_data_port_t
165
166
167
168       Default Defined Ports:
169                 tcp 20
170
171
172       ftp_port_t
173
174
175
176       Default Defined Ports:
177                 tcp 21,989,990
178                 udp 989,990
179

MANAGED FILES

181       The  SELinux process type ftpd_t can manage files labeled with the fol‐
182       lowing file types.  The paths listed are the default  paths  for  these
183       file types.  Note the processes UID still need to have DAC permissions.
184
185       cifs_t
186
187
188       cluster_conf_t
189
190            /etc/cluster(/.*)?
191
192       cluster_var_lib_t
193
194            /var/lib/pcsd(/.*)?
195            /var/lib/cluster(/.*)?
196            /var/lib/openais(/.*)?
197            /var/lib/pengine(/.*)?
198            /var/lib/corosync(/.*)?
199            /usr/lib/heartbeat(/.*)?
200            /var/lib/heartbeat(/.*)?
201            /var/lib/pacemaker(/.*)?
202
203       cluster_var_run_t
204
205            /var/run/crm(/.*)?
206            /var/run/cman_.*
207            /var/run/rsctmp(/.*)?
208            /var/run/aisexec.*
209            /var/run/heartbeat(/.*)?
210            /var/run/pcsd-ruby.socket
211            /var/run/corosync-qnetd(/.*)?
212            /var/run/corosync-qdevice(/.*)?
213            /var/run/corosync.pid
214            /var/run/cpglockd.pid
215            /var/run/rgmanager.pid
216            /var/run/cluster/rgmanager.sk
217
218       faillog_t
219
220            /var/log/btmp.*
221            /var/log/faillog.*
222            /var/log/tallylog.*
223            /var/run/faillock(/.*)?
224
225       ftpd_lock_t
226
227            /var/lock/subsys/*.ftpd
228
229       ftpd_tmp_t
230
231
232       ftpd_tmpfs_t
233
234
235       ftpd_var_run_t
236
237            /var/run/proftpd.*
238
239       fusefs_t
240
241            /var/run/user/[^/]*/gvfs
242
243       httpd_user_content_t
244
245            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
246
247       initrc_var_run_t
248
249            /var/run/utmp
250            /var/run/random-seed
251            /var/run/runlevel.dir
252            /var/run/setmixer_flag
253
254       krb5_host_rcache_t
255
256            /var/tmp/krb5_0.rcache2
257            /var/cache/krb5rcache(/.*)?
258            /var/tmp/nfs_0
259            /var/tmp/DNS_25
260            /var/tmp/host_0
261            /var/tmp/imap_0
262            /var/tmp/HTTP_23
263            /var/tmp/HTTP_48
264            /var/tmp/ldap_55
265            /var/tmp/ldap_487
266            /var/tmp/ldapmap1_0
267
268       lastlog_t
269
270            /var/log/lastlog.*
271
272       nfs_t
273
274
275       non_security_file_type
276
277
278       root_t
279
280            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
281            /
282            /initrd
283
284       security_t
285
286            /selinux
287
288       user_home_t
289
290            /home/[^/]+/.+
291
292       user_tmp_t
293
294            /dev/shm/mono.*
295            /var/run/user(/.*)?
296            /tmp/.ICE-unix(/.*)?
297            /tmp/.X11-unix(/.*)?
298            /dev/shm/pulse-shm.*
299            /tmp/.X0-lock
300            /tmp/hsperfdata_root
301            /var/tmp/hsperfdata_root
302            /home/[^/]+/tmp
303            /home/[^/]+/.tmp
304            /tmp/gconfd-[^/]+
305
306       var_auth_t
307
308            /var/ace(/.*)?
309            /var/rsa(/.*)?
310            /var/lib/abl(/.*)?
311            /var/lib/rsa(/.*)?
312            /var/lib/pam_ssh(/.*)?
313            /var/lib/pam_shield(/.*)?
314            /var/opt/quest/vas/vasd(/.*)?
315            /var/lib/google-authenticator(/.*)?
316
317       wtmp_t
318
319            /var/log/wtmp.*
320
321       xferlog_t
322
323            /var/log/vsftpd.*
324            /var/log/xferlog.*
325            /var/log/proftpd(/.*)?
326            /var/log/xferreport.*
327            /var/log/muddleftpd.log.*
328            /var/log/proftpd.log
329            /usr/libexec/webmin/vsftpd/webalizer/xfer_log
330
331

FILE CONTEXTS

333       SELinux requires files to have an extended attribute to define the file
334       type.
335
336       You can see the context of a file using the -Z option to ls
337
338       Policy governs the access  confined  processes  have  to  these  files.
339       SELinux ftpd policy is very flexible allowing users to setup their ftpd
340       processes in as secure a method as possible.
341
342       STANDARD FILE CONTEXT
343
344       SELinux defines the file context types for the ftpd, if you  wanted  to
345       store  files  with  these types in a diffent paths, you need to execute
346       the semanage command to sepecify alternate labeling and  then  use  re‐
347       storecon to put the labels on disk.
348
349       semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
350       restorecon -R -v /srv/myftpd_content
351
352       Note:  SELinux  often  uses  regular expressions to specify labels that
353       match multiple files.
354
355       The following file types are defined for ftpd:
356
357
358
359       ftpd_etc_t
360
361       - Set files with the ftpd_etc_t type, if you want to store  ftpd  files
362       in the /etc directories.
363
364
365
366       ftpd_exec_t
367
368       - Set files with the ftpd_exec_t type, if you want to transition an ex‐
369       ecutable to the ftpd_t domain.
370
371
372       Paths:
373            /usr/sbin/ftpwho,       /usr/sbin/vsftpd,       /usr/sbin/in.ftpd,
374            /usr/sbin/proftpd,  /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
375            /etc/cron.monthly/proftpd
376
377
378       ftpd_initrc_exec_t
379
380       - Set files with the ftpd_initrc_exec_t type, if you want to transition
381       an executable to the ftpd_initrc_t domain.
382
383
384       Paths:
385            /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
386
387
388       ftpd_keytab_t
389
390       - Set files with the ftpd_keytab_t type, if you want to treat the files
391       as kerberos keytab files.
392
393
394
395       ftpd_lock_t
396
397       - Set files with the ftpd_lock_t type, if you want to treat  the  files
398       as ftpd lock data, stored under the /var/lock directory
399
400
401
402       ftpd_tmp_t
403
404       -  Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
405       rary files in the /tmp directories.
406
407
408
409       ftpd_tmpfs_t
410
411       - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
412       on a tmpfs file system.
413
414
415
416       ftpd_unit_file_t
417
418       -  Set  files  with the ftpd_unit_file_t type, if you want to treat the
419       files as ftpd unit content.
420
421
422
423       ftpd_var_run_t
424
425       - Set files with the ftpd_var_run_t type, if you want to store the ftpd
426       files under the /run or /var/run directory.
427
428
429
430       ftpdctl_exec_t
431
432       -  Set files with the ftpdctl_exec_t type, if you want to transition an
433       executable to the ftpdctl_t domain.
434
435
436
437       ftpdctl_tmp_t
438
439       - Set files with the ftpdctl_tmp_t type, if you want to  store  ftpdctl
440       temporary files in the /tmp directories.
441
442
443
444       Note:  File context can be temporarily modified with the chcon command.
445       If you want to permanently change the file context you need to use  the
446       semanage fcontext command.  This will modify the SELinux labeling data‐
447       base.  You will need to use restorecon to apply the labels.
448
449

SHARING FILES

451       If you want to share files with multiple domains (Apache,  FTP,  rsync,
452       Samba),  you can set a file context of public_content_t and public_con‐
453       tent_rw_t.  These context allow any of the above domains  to  read  the
454       content.   If  you want a particular domain to write to the public_con‐
455       tent_rw_t domain, you must set the appropriate boolean.
456
457       Allow ftpd servers to read the /var/ftpd directory by adding  the  pub‐
458       lic_content_t  file  type  to  the  directory and by restoring the file
459       type.
460
461       semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
462       restorecon -F -R -v /var/ftpd
463
464       Allow ftpd servers to read and write /var/ftpd/incoming by  adding  the
465       public_content_rw_t  type  to  the  directory and by restoring the file
466       type.  You also need to turn on the ftpd_anon_write boolean.
467
468       semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
469       restorecon -F -R -v /var/ftpd/incoming
470       setsebool -P ftpd_anon_write 1
471
472
473       If you want to determine whether ftpd can modify public files used  for
474       public  file  transfer services. Directories/Files must be labeled pub‐
475       lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
476
477       setsebool -P ftpd_anon_write 1
478
479

COMMANDS

481       semanage fcontext can also be used to manipulate default  file  context
482       mappings.
483
484       semanage  permissive  can  also  be used to manipulate whether or not a
485       process type is permissive.
486
487       semanage module can also be used to enable/disable/install/remove  pol‐
488       icy modules.
489
490       semanage port can also be used to manipulate the port definitions
491
492       semanage boolean can also be used to manipulate the booleans
493
494
495       system-config-selinux is a GUI tool available to customize SELinux pol‐
496       icy settings.
497
498

AUTHOR

500       This manual page was auto-generated using sepolicy manpage .
501
502

SEE ALSO

504       selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
505       setsebool(8)
506
507
508
509ftpd                               21-06-09                    ftpd_selinux(8)
Impressum