1ftpd_selinux(8) SELinux Policy ftpd ftpd_selinux(8)
2
6 ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7
9 Security-Enhanced Linux secures the ftpd processes via flexible manda‐
10 tory access control.
11 The ftpd processes execute with the ftpd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep ftpd_t
19
23 The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24 The default entrypoint paths for the ftpd_t domain are the following:
26 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
28 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
29 /etc/cron.monthly/proftpd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 ftpd policy is very flexible allowing users to setup their ftpd pro‐
39 cesses in as secure a method as possible.
40 The following process types are defined for ftpd:
42 ftpd_t, ftpdctl_t
44 Note: semanage permissive -a ftpd_t can be used to make the process
46 type ftpd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. ftpd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run ftpd with the tightest access possible.
55 If you want to determine whether ftpd can connect to all unreserved
59 ports, you must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60 abled by default.
61 setsebool -P ftpd_connect_all_unreserved 1
63 If you want to determine whether ftpd can connect to databases over the
67 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
68 default.
69 setsebool -P ftpd_connect_db 1
71 If you want to determine whether ftpd can login to local users and can
75 read and write all files on the system, governed by DAC, you must turn
76 on the ftpd_full_access boolean. Disabled by default.
77 setsebool -P ftpd_full_access 1
79 If you want to determine whether ftpd can use CIFS used for public file
83 transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84 by default.
85 setsebool -P ftpd_use_cifs 1
87 If you want to allow ftpd to use ntfs/fusefs volumes, you must turn on
91 the ftpd_use_fusefs boolean. Disabled by default.
92 setsebool -P ftpd_use_fusefs 1
94 If you want to determine whether ftpd can use NFS used for public file
98 transfer services, you must turn on the ftpd_use_nfs boolean. Disabled
99 by default.
100 setsebool -P ftpd_use_nfs 1
102 If you want to determine whether ftpd can bind to all unreserved ports
106 for passive mode, you must turn on the ftpd_use_passive_mode boolean.
107 Disabled by default.
108 setsebool -P ftpd_use_passive_mode 1
110 If you want to allow all domains to execute in fips_mode, you must turn
114 on the fips_mode boolean. Enabled by default.
115 setsebool -P fips_mode 1
117 If you want to allow confined applications to run with kerberos, you
121 must turn on the kerberos_enabled boolean. Enabled by default.
122 setsebool -P kerberos_enabled 1
124 If you want to allow system to run with NIS, you must turn on the
128 nis_enabled boolean. Disabled by default.
129 setsebool -P nis_enabled 1
131 If you want to support NFS home directories, you must turn on the
135 use_nfs_home_dirs boolean. Disabled by default.
136 setsebool -P use_nfs_home_dirs 1
138 If you want to support SAMBA home directories, you must turn on the
142 use_samba_home_dirs boolean. Disabled by default.
143 setsebool -P use_samba_home_dirs 1
145
149 SELinux defines port types to represent TCP and UDP ports.
150 You can see the types associated with a port by using the following
152 command:
153 semanage port -l
155 Policy governs the access confined processes have to these ports.
158 SELinux ftpd policy is very flexible allowing users to setup their ftpd
159 processes in as secure a method as possible.
160 The following port types are defined for ftpd:
162 ftp_data_port_t
165 Default Defined Ports:
169 tcp 20
170 ftp_port_t
173 Default Defined Ports:
177 tcp 21,989,990
178 udp 989,990
179
181 The SELinux process type ftpd_t can manage files labeled with the fol‐
182 lowing file types. The paths listed are the default paths for these
183 file types. Note the processes UID still need to have DAC permissions.
184 cifs_t
186 cluster_conf_t
189 /etc/cluster(/.*)?
191 cluster_var_lib_t
193 /var/lib/pcsd(/.*)?
195 /var/lib/cluster(/.*)?
196 /var/lib/openais(/.*)?
197 /var/lib/pengine(/.*)?
198 /var/lib/corosync(/.*)?
199 /usr/lib/heartbeat(/.*)?
200 /var/lib/heartbeat(/.*)?
201 /var/lib/pacemaker(/.*)?
202 cluster_var_run_t
204 /var/run/crm(/.*)?
206 /var/run/cman_.*
207 /var/run/rsctmp(/.*)?
208 /var/run/aisexec.*
209 /var/run/heartbeat(/.*)?
210 /var/run/pcsd-ruby.socket
211 /var/run/corosync-qnetd(/.*)?
212 /var/run/corosync-qdevice(/.*)?
213 /var/run/corosync.pid
214 /var/run/cpglockd.pid
215 /var/run/rgmanager.pid
216 /var/run/cluster/rgmanager.sk
217 faillog_t
219 /var/log/btmp.*
221 /var/log/faillog.*
222 /var/log/tallylog.*
223 /var/run/faillock(/.*)?
224 ftpd_lock_t
226 /var/lock/subsys/*.ftpd
228 ftpd_tmp_t
230 ftpd_tmpfs_t
233 ftpd_var_run_t
236 /var/run/proftpd.*
238 fusefs_t
240 /var/run/user/[0-9]+/gvfs
242 httpd_user_content_t
244 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
246 initrc_var_run_t
248 /var/run/utmp
250 /var/run/random-seed
251 /var/run/runlevel.dir
252 /var/run/setmixer_flag
253 krb5_host_rcache_t
255 /var/tmp/krb5_0.rcache2
257 /var/cache/krb5rcache(/.*)?
258 /var/tmp/nfs_0
259 /var/tmp/DNS_25
260 /var/tmp/host_0
261 /var/tmp/imap_0
262 /var/tmp/HTTP_23
263 /var/tmp/HTTP_48
264 /var/tmp/ldap_55
265 /var/tmp/ldap_487
266 /var/tmp/ldapmap1_0
267 lastlog_t
269 /var/log/lastlog.*
271 nfs_t
273 non_security_file_type
276 root_t
279 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
281 /
282 /initrd
283 security_t
285 /selinux
287 user_home_t
289 /home/[^/]+/.+
291 user_tmp_t
293 /dev/shm/mono.*
295 /var/run/user/[^/]+
296 /tmp/.ICE-unix(/.*)?
297 /tmp/.X11-unix(/.*)?
298 /dev/shm/pulse-shm.*
299 /tmp/.X0-lock
300 /var/run/user
301 /tmp/hsperfdata_root
302 /var/tmp/hsperfdata_root
303 /home/[^/]+/tmp
304 /home/[^/]+/.tmp
305 /var/run/user/[0-9]+
306 /tmp/gconfd-[^/]+
307 var_auth_t
309 /var/ace(/.*)?
311 /var/rsa(/.*)?
312 /var/lib/abl(/.*)?
313 /var/lib/rsa(/.*)?
314 /var/lib/pam_ssh(/.*)?
315 /var/lib/pam_shield(/.*)?
316 /var/opt/quest/vas/vasd(/.*)?
317 /var/lib/google-authenticator(/.*)?
318 wtmp_t
320 /var/log/wtmp.*
322 xferlog_t
324 /var/log/vsftpd.*
326 /var/log/xferlog.*
327 /var/log/proftpd(/.*)?
328 /var/log/xferreport.*
329 /var/log/muddleftpd.log.*
330 /var/log/proftpd.log
331 /usr/libexec/webmin/vsftpd/webalizer/xfer_log
332
335 SELinux requires files to have an extended attribute to define the file
336 type.
337 You can see the context of a file using the -Z option to ls
339 Policy governs the access confined processes have to these files.
341 SELinux ftpd policy is very flexible allowing users to setup their ftpd
342 processes in as secure a method as possible.
343 STANDARD FILE CONTEXT
345 SELinux defines the file context types for the ftpd, if you wanted to
347 store files with these types in a diffent paths, you need to execute
348 the semanage command to specify alternate labeling and then use re‐
349 storecon to put the labels on disk.
350 semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
352 restorecon -R -v /srv/myftpd_content
353 Note: SELinux often uses regular expressions to specify labels that
355 match multiple files.
356 The following file types are defined for ftpd:
358 ftpd_etc_t
362 - Set files with the ftpd_etc_t type, if you want to store ftpd files
364 in the /etc directories.
365 ftpd_exec_t
369 - Set files with the ftpd_exec_t type, if you want to transition an ex‐
371 ecutable to the ftpd_t domain.
372 Paths:
375 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
376 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
377 /etc/cron.monthly/proftpd
378 ftpd_initrc_exec_t
381 - Set files with the ftpd_initrc_exec_t type, if you want to transition
383 an executable to the ftpd_initrc_t domain.
384 Paths:
387 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
388 ftpd_keytab_t
391 - Set files with the ftpd_keytab_t type, if you want to treat the files
393 as kerberos keytab files.
394 ftpd_lock_t
398 - Set files with the ftpd_lock_t type, if you want to treat the files
400 as ftpd lock data, stored under the /var/lock directory
401 ftpd_tmp_t
405 - Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
407 rary files in the /tmp directories.
408 ftpd_tmpfs_t
412 - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
414 on a tmpfs file system.
415 ftpd_unit_file_t
419 - Set files with the ftpd_unit_file_t type, if you want to treat the
421 files as ftpd unit content.
422 ftpd_var_run_t
426 - Set files with the ftpd_var_run_t type, if you want to store the ftpd
428 files under the /run or /var/run directory.
429 ftpdctl_exec_t
433 - Set files with the ftpdctl_exec_t type, if you want to transition an
435 executable to the ftpdctl_t domain.
436 ftpdctl_tmp_t
440 - Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl
442 temporary files in the /tmp directories.
443 Note: File context can be temporarily modified with the chcon command.
447 If you want to permanently change the file context you need to use the
448 semanage fcontext command. This will modify the SELinux labeling data‐
449 base. You will need to use restorecon to apply the labels.
450
453 If you want to share files with multiple domains (Apache, FTP, rsync,
454 Samba), you can set a file context of public_content_t and public_con‐
455 tent_rw_t. These context allow any of the above domains to read the
456 content. If you want a particular domain to write to the public_con‐
457 tent_rw_t domain, you must set the appropriate boolean.
458 Allow ftpd servers to read the /var/ftpd directory by adding the pub‐
460 lic_content_t file type to the directory and by restoring the file
461 type.
462 semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
464 restorecon -F -R -v /var/ftpd
465 Allow ftpd servers to read and write /var/ftpd/incoming by adding the
467 public_content_rw_t type to the directory and by restoring the file
468 type. You also need to turn on the ftpd_anon_write boolean.
469 semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
471 restorecon -F -R -v /var/ftpd/incoming
472 setsebool -P ftpd_anon_write 1
473 If you want to determine whether ftpd can modify public files used for
476 public file transfer services. Directories/Files must be labeled pub‐
477 lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
478 setsebool -P ftpd_anon_write 1
480
483 semanage fcontext can also be used to manipulate default file context
484 mappings.
485 semanage permissive can also be used to manipulate whether or not a
487 process type is permissive.
488 semanage module can also be used to enable/disable/install/remove pol‐
490 icy modules.
491 semanage port can also be used to manipulate the port definitions
493 semanage boolean can also be used to manipulate the booleans
495 system-config-selinux is a GUI tool available to customize SELinux pol‐
498 icy settings.
499
502 This manual page was auto-generated using sepolicy manpage .
503
506 selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
507 setsebool(8)
508ftpd 22-05-27 ftpd_selinux(8)