1ftpd_selinux(8) SELinux Policy ftpd ftpd_selinux(8)
2
3
4
6 ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7
9 Security-Enhanced Linux secures the ftpd processes via flexible manda‐
10 tory access control.
11
12 The ftpd processes execute with the ftpd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep ftpd_t
19
20
21
23 The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24
25 The default entrypoint paths for the ftpd_t domain are the following:
26
27 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
28 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
29 /etc/cron.monthly/proftpd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 ftpd policy is very flexible allowing users to setup their ftpd pro‐
39 cesses in as secure a method as possible.
40
41 The following process types are defined for ftpd:
42
43 ftpd_t, ftpdctl_t
44
45 Note: semanage permissive -a ftpd_t can be used to make the process
46 type ftpd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. ftpd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run ftpd with the tightest access possible.
55
56
57
58 If you want to determine whether ftpd can connect to all unreserved
59 ports, you must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60 abled by default.
61
62 setsebool -P ftpd_connect_all_unreserved 1
63
64
65
66 If you want to determine whether ftpd can connect to databases over the
67 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
68 default.
69
70 setsebool -P ftpd_connect_db 1
71
72
73
74 If you want to determine whether ftpd can login to local users and can
75 read and write all files on the system, governed by DAC, you must turn
76 on the ftpd_full_access boolean. Disabled by default.
77
78 setsebool -P ftpd_full_access 1
79
80
81
82 If you want to determine whether ftpd can use CIFS used for public file
83 transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84 by default.
85
86 setsebool -P ftpd_use_cifs 1
87
88
89
90 If you want to allow ftpd to use ntfs/fusefs volumes, you must turn on
91 the ftpd_use_fusefs boolean. Disabled by default.
92
93 setsebool -P ftpd_use_fusefs 1
94
95
96
97 If you want to determine whether ftpd can use NFS used for public file
98 transfer services, you must turn on the ftpd_use_nfs boolean. Disabled
99 by default.
100
101 setsebool -P ftpd_use_nfs 1
102
103
104
105 If you want to determine whether ftpd can bind to all unreserved ports
106 for passive mode, you must turn on the ftpd_use_passive_mode boolean.
107 Disabled by default.
108
109 setsebool -P ftpd_use_passive_mode 1
110
111
112
113 If you want to allow all domains to execute in fips_mode, you must turn
114 on the fips_mode boolean. Enabled by default.
115
116 setsebool -P fips_mode 1
117
118
119
120 If you want to allow confined applications to run with kerberos, you
121 must turn on the kerberos_enabled boolean. Enabled by default.
122
123 setsebool -P kerberos_enabled 1
124
125
126
127 If you want to allow system to run with NIS, you must turn on the
128 nis_enabled boolean. Disabled by default.
129
130 setsebool -P nis_enabled 1
131
132
133
134 If you want to support NFS home directories, you must turn on the
135 use_nfs_home_dirs boolean. Disabled by default.
136
137 setsebool -P use_nfs_home_dirs 1
138
139
140
141 If you want to support SAMBA home directories, you must turn on the
142 use_samba_home_dirs boolean. Disabled by default.
143
144 setsebool -P use_samba_home_dirs 1
145
146
147
149 SELinux defines port types to represent TCP and UDP ports.
150
151 You can see the types associated with a port by using the following
152 command:
153
154 semanage port -l
155
156
157 Policy governs the access confined processes have to these ports.
158 SELinux ftpd policy is very flexible allowing users to setup their ftpd
159 processes in as secure a method as possible.
160
161 The following port types are defined for ftpd:
162
163
164 ftp_data_port_t
165
166
167
168 Default Defined Ports:
169 tcp 20
170
171
172 ftp_port_t
173
174
175
176 Default Defined Ports:
177 tcp 21,989,990
178 udp 989,990
179
181 The SELinux process type ftpd_t can manage files labeled with the fol‐
182 lowing file types. The paths listed are the default paths for these
183 file types. Note the processes UID still need to have DAC permissions.
184
185 cifs_t
186
187
188 cluster_conf_t
189
190 /etc/cluster(/.*)?
191
192 cluster_var_lib_t
193
194 /var/lib/pcsd(/.*)?
195 /var/lib/cluster(/.*)?
196 /var/lib/openais(/.*)?
197 /var/lib/pengine(/.*)?
198 /var/lib/corosync(/.*)?
199 /usr/lib/heartbeat(/.*)?
200 /var/lib/heartbeat(/.*)?
201 /var/lib/pacemaker(/.*)?
202
203 cluster_var_run_t
204
205 /var/run/crm(/.*)?
206 /var/run/cman_.*
207 /var/run/rsctmp(/.*)?
208 /var/run/aisexec.*
209 /var/run/heartbeat(/.*)?
210 /var/run/pcsd-ruby.socket
211 /var/run/corosync-qnetd(/.*)?
212 /var/run/corosync-qdevice(/.*)?
213 /var/run/corosync.pid
214 /var/run/cpglockd.pid
215 /var/run/rgmanager.pid
216 /var/run/cluster/rgmanager.sk
217
218 faillog_t
219
220 /var/log/btmp.*
221 /var/log/faillog.*
222 /var/log/tallylog.*
223 /var/run/faillock(/.*)?
224
225 ftpd_lock_t
226
227 /var/lock/subsys/*.ftpd
228
229 ftpd_tmp_t
230
231
232 ftpd_tmpfs_t
233
234
235 ftpd_var_run_t
236
237 /var/run/proftpd.*
238
239 fusefs_t
240
241 /var/run/user/[0-9]+/gvfs
242
243 httpd_user_content_t
244
245 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
246
247 initrc_var_run_t
248
249 /var/run/utmp
250 /var/run/random-seed
251 /var/run/runlevel.dir
252 /var/run/setmixer_flag
253
254 krb5_host_rcache_t
255
256 /var/tmp/krb5_0.rcache2
257 /var/cache/krb5rcache(/.*)?
258 /var/tmp/nfs_0
259 /var/tmp/DNS_25
260 /var/tmp/host_0
261 /var/tmp/imap_0
262 /var/tmp/HTTP_23
263 /var/tmp/HTTP_48
264 /var/tmp/ldap_55
265 /var/tmp/ldap_487
266 /var/tmp/ldapmap1_0
267
268 lastlog_t
269
270 /var/log/lastlog.*
271
272 nfs_t
273
274
275 non_security_file_type
276
277
278 root_t
279
280 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
281 /
282 /initrd
283
284 security_t
285
286 /selinux
287
288 user_home_t
289
290 /home/[^/]+/.+
291
292 user_tmp_t
293
294 /dev/shm/mono.*
295 /var/run/user/[^/]+
296 /tmp/.ICE-unix(/.*)?
297 /tmp/.X11-unix(/.*)?
298 /dev/shm/pulse-shm.*
299 /tmp/.X0-lock
300 /var/run/user
301 /tmp/hsperfdata_root
302 /var/tmp/hsperfdata_root
303 /home/[^/]+/tmp
304 /home/[^/]+/.tmp
305 /var/run/user/[0-9]+
306 /tmp/gconfd-[^/]+
307
308 var_auth_t
309
310 /var/ace(/.*)?
311 /var/rsa(/.*)?
312 /var/lib/abl(/.*)?
313 /var/lib/rsa(/.*)?
314 /var/lib/pam_ssh(/.*)?
315 /var/lib/pam_shield(/.*)?
316 /var/opt/quest/vas/vasd(/.*)?
317 /var/lib/google-authenticator(/.*)?
318
319 wtmp_t
320
321 /var/log/wtmp.*
322
323 xferlog_t
324
325 /var/log/vsftpd.*
326 /var/log/xferlog.*
327 /var/log/proftpd(/.*)?
328 /var/log/xferreport.*
329 /var/log/muddleftpd.log.*
330 /var/log/proftpd.log
331 /usr/libexec/webmin/vsftpd/webalizer/xfer_log
332
333
335 SELinux requires files to have an extended attribute to define the file
336 type.
337
338 You can see the context of a file using the -Z option to ls
339
340 Policy governs the access confined processes have to these files.
341 SELinux ftpd policy is very flexible allowing users to setup their ftpd
342 processes in as secure a method as possible.
343
344 STANDARD FILE CONTEXT
345
346 SELinux defines the file context types for the ftpd, if you wanted to
347 store files with these types in a diffent paths, you need to execute
348 the semanage command to specify alternate labeling and then use re‐
349 storecon to put the labels on disk.
350
351 semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
352 restorecon -R -v /srv/myftpd_content
353
354 Note: SELinux often uses regular expressions to specify labels that
355 match multiple files.
356
357 The following file types are defined for ftpd:
358
359
360
361 ftpd_etc_t
362
363 - Set files with the ftpd_etc_t type, if you want to store ftpd files
364 in the /etc directories.
365
366
367
368 ftpd_exec_t
369
370 - Set files with the ftpd_exec_t type, if you want to transition an ex‐
371 ecutable to the ftpd_t domain.
372
373
374 Paths:
375 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
376 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
377 /etc/cron.monthly/proftpd
378
379
380 ftpd_initrc_exec_t
381
382 - Set files with the ftpd_initrc_exec_t type, if you want to transition
383 an executable to the ftpd_initrc_t domain.
384
385
386 Paths:
387 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
388
389
390 ftpd_keytab_t
391
392 - Set files with the ftpd_keytab_t type, if you want to treat the files
393 as kerberos keytab files.
394
395
396
397 ftpd_lock_t
398
399 - Set files with the ftpd_lock_t type, if you want to treat the files
400 as ftpd lock data, stored under the /var/lock directory
401
402
403
404 ftpd_tmp_t
405
406 - Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
407 rary files in the /tmp directories.
408
409
410
411 ftpd_tmpfs_t
412
413 - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
414 on a tmpfs file system.
415
416
417
418 ftpd_unit_file_t
419
420 - Set files with the ftpd_unit_file_t type, if you want to treat the
421 files as ftpd unit content.
422
423
424
425 ftpd_var_run_t
426
427 - Set files with the ftpd_var_run_t type, if you want to store the ftpd
428 files under the /run or /var/run directory.
429
430
431
432 ftpdctl_exec_t
433
434 - Set files with the ftpdctl_exec_t type, if you want to transition an
435 executable to the ftpdctl_t domain.
436
437
438
439 ftpdctl_tmp_t
440
441 - Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl
442 temporary files in the /tmp directories.
443
444
445
446 Note: File context can be temporarily modified with the chcon command.
447 If you want to permanently change the file context you need to use the
448 semanage fcontext command. This will modify the SELinux labeling data‐
449 base. You will need to use restorecon to apply the labels.
450
451
453 If you want to share files with multiple domains (Apache, FTP, rsync,
454 Samba), you can set a file context of public_content_t and public_con‐
455 tent_rw_t. These context allow any of the above domains to read the
456 content. If you want a particular domain to write to the public_con‐
457 tent_rw_t domain, you must set the appropriate boolean.
458
459 Allow ftpd servers to read the /var/ftpd directory by adding the pub‐
460 lic_content_t file type to the directory and by restoring the file
461 type.
462
463 semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
464 restorecon -F -R -v /var/ftpd
465
466 Allow ftpd servers to read and write /var/ftpd/incoming by adding the
467 public_content_rw_t type to the directory and by restoring the file
468 type. You also need to turn on the ftpd_anon_write boolean.
469
470 semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
471 restorecon -F -R -v /var/ftpd/incoming
472 setsebool -P ftpd_anon_write 1
473
474
475 If you want to determine whether ftpd can modify public files used for
476 public file transfer services. Directories/Files must be labeled pub‐
477 lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
478
479 setsebool -P ftpd_anon_write 1
480
481
483 semanage fcontext can also be used to manipulate default file context
484 mappings.
485
486 semanage permissive can also be used to manipulate whether or not a
487 process type is permissive.
488
489 semanage module can also be used to enable/disable/install/remove pol‐
490 icy modules.
491
492 semanage port can also be used to manipulate the port definitions
493
494 semanage boolean can also be used to manipulate the booleans
495
496
497 system-config-selinux is a GUI tool available to customize SELinux pol‐
498 icy settings.
499
500
502 This manual page was auto-generated using sepolicy manpage .
503
504
506 selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
507 setsebool(8)
508
509
510
511ftpd 23-02-03 ftpd_selinux(8)