1ftpd_selinux(8)               SELinux Policy ftpd              ftpd_selinux(8)
2
3
4

NAME

6       ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the ftpd processes via flexible manda‐
10       tory access control.
11
12       The ftpd processes execute with the ftpd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ftpd_t
19
20
21

ENTRYPOINTS

23       The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24
25       The default entrypoint paths for the ftpd_t domain are the following:
26
27       /usr/sbin/ftpwho,         /usr/sbin/vsftpd,          /usr/sbin/in.ftpd,
28       /usr/sbin/proftpd,    /usr/sbin/muddleftpd,    /usr/kerberos/sbin/ftpd,
29       /etc/cron.monthly/proftpd
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       ftpd policy is very flexible allowing users to setup  their  ftpd  pro‐
39       cesses in as secure a method as possible.
40
41       The following process types are defined for ftpd:
42
43       ftpd_t, ftpdctl_t
44
45       Note:  semanage  permissive  -a  ftpd_t can be used to make the process
46       type ftpd_t permissive. SELinux does  not  deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least  access  required.   ftpd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run ftpd with the tightest access possible.
55
56
57
58       If you want to determine whether ftpd can  connect  to  all  unreserved
59       ports,  you  must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60       abled by default.
61
62       setsebool -P ftpd_connect_all_unreserved 1
63
64
65
66       If you want to determine whether ftpd can connect to databases over the
67       TCP  network, you must turn on the ftpd_connect_db boolean. Disabled by
68       default.
69
70       setsebool -P ftpd_connect_db 1
71
72
73
74       If you want to determine whether ftpd can login to local users and  can
75       read  and write all files on the system, governed by DAC, you must turn
76       on the ftpd_full_access boolean. Disabled by default.
77
78       setsebool -P ftpd_full_access 1
79
80
81
82       If you want to determine whether ftpd can use CIFS used for public file
83       transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84       by default.
85
86       setsebool -P ftpd_use_cifs 1
87
88
89
90       If you want to allow ftpd to use ntfs/fusefs volumes, you must turn  on
91       the ftpd_use_fusefs boolean. Disabled by default.
92
93       setsebool -P ftpd_use_fusefs 1
94
95
96
97       If  you want to determine whether ftpd can use NFS used for public file
98       transfer services, you must turn on the ftpd_use_nfs boolean.  Disabled
99       by default.
100
101       setsebool -P ftpd_use_nfs 1
102
103
104
105       If  you want to determine whether ftpd can bind to all unreserved ports
106       for passive mode, you must turn on the  ftpd_use_passive_mode  boolean.
107       Disabled by default.
108
109       setsebool -P ftpd_use_passive_mode 1
110
111
112
113       If you want to allow all domains to execute in fips_mode, you must turn
114       on the fips_mode boolean. Enabled by default.
115
116       setsebool -P fips_mode 1
117
118
119
120       If you want to allow confined applications to run  with  kerberos,  you
121       must turn on the kerberos_enabled boolean. Enabled by default.
122
123       setsebool -P kerberos_enabled 1
124
125
126
127       If  you  want  to  allow  system  to run with NIS, you must turn on the
128       nis_enabled boolean. Disabled by default.
129
130       setsebool -P nis_enabled 1
131
132
133
134       If you want to support NFS home  directories,  you  must  turn  on  the
135       use_nfs_home_dirs boolean. Disabled by default.
136
137       setsebool -P use_nfs_home_dirs 1
138
139
140
141       If  you  want  to  support SAMBA home directories, you must turn on the
142       use_samba_home_dirs boolean. Disabled by default.
143
144       setsebool -P use_samba_home_dirs 1
145
146
147

PORT TYPES

149       SELinux defines port types to represent TCP and UDP ports.
150
151       You can see the types associated with a port  by  using  the  following
152       command:
153
154       semanage port -l
155
156
157       Policy  governs  the  access  confined  processes  have to these ports.
158       SELinux ftpd policy is very flexible allowing users to setup their ftpd
159       processes in as secure a method as possible.
160
161       The following port types are defined for ftpd:
162
163
164       ftp_data_port_t
165
166
167
168       Default Defined Ports:
169                 tcp 20
170
171
172       ftp_port_t
173
174
175
176       Default Defined Ports:
177                 tcp 21,989,990
178                 udp 989,990
179

MANAGED FILES

181       The  SELinux process type ftpd_t can manage files labeled with the fol‐
182       lowing file types.  The paths listed are the default  paths  for  these
183       file types.  Note the processes UID still need to have DAC permissions.
184
185       cifs_t
186
187
188       cluster_conf_t
189
190            /etc/cluster(/.*)?
191
192       cluster_var_lib_t
193
194            /var/lib/pcsd(/.*)?
195            /var/lib/cluster(/.*)?
196            /var/lib/openais(/.*)?
197            /var/lib/pengine(/.*)?
198            /var/lib/corosync(/.*)?
199            /usr/lib/heartbeat(/.*)?
200            /var/lib/heartbeat(/.*)?
201            /var/lib/pacemaker(/.*)?
202
203       cluster_var_run_t
204
205            /var/run/crm(/.*)?
206            /var/run/cman_.*
207            /var/run/rsctmp(/.*)?
208            /var/run/aisexec.*
209            /var/run/heartbeat(/.*)?
210            /var/run/pcsd-ruby.socket
211            /var/run/corosync-qnetd(/.*)?
212            /var/run/corosync-qdevice(/.*)?
213            /var/run/corosync.pid
214            /var/run/cpglockd.pid
215            /var/run/rgmanager.pid
216            /var/run/cluster/rgmanager.sk
217
218       faillog_t
219
220            /var/log/btmp.*
221            /var/log/faillog.*
222            /var/log/tallylog.*
223            /var/run/faillock(/.*)?
224
225       ftpd_lock_t
226
227            /var/lock/subsys/*.ftpd
228
229       ftpd_tmp_t
230
231
232       ftpd_tmpfs_t
233
234
235       ftpd_var_run_t
236
237            /var/run/proftpd.*
238
239       fusefs_t
240
241            /var/run/user/[0-9]+/gvfs
242
243       httpd_user_content_t
244
245            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
246
247       initrc_var_run_t
248
249            /var/run/utmp
250            /var/run/random-seed
251            /var/run/runlevel.dir
252            /var/run/setmixer_flag
253
254       krb5_host_rcache_t
255
256            /var/tmp/krb5_0.rcache2
257            /var/cache/krb5rcache(/.*)?
258            /var/tmp/nfs_0
259            /var/tmp/DNS_25
260            /var/tmp/host_0
261            /var/tmp/imap_0
262            /var/tmp/HTTP_23
263            /var/tmp/HTTP_48
264            /var/tmp/ldap_55
265            /var/tmp/ldap_487
266            /var/tmp/ldapmap1_0
267
268       lastlog_t
269
270            /var/log/lastlog.*
271
272       nfs_t
273
274
275       non_security_file_type
276
277
278       root_t
279
280            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
281            /
282            /initrd
283
284       security_t
285
286            /selinux
287
288       user_home_t
289
290            /home/[^/]+/.+
291
292       user_tmp_t
293
294            /dev/shm/mono.*
295            /var/run/user/[^/]+
296            /tmp/.ICE-unix(/.*)?
297            /tmp/.X11-unix(/.*)?
298            /dev/shm/pulse-shm.*
299            /tmp/.X0-lock
300            /var/run/user
301            /tmp/hsperfdata_root
302            /var/tmp/hsperfdata_root
303            /home/[^/]+/tmp
304            /home/[^/]+/.tmp
305            /var/run/user/[0-9]+
306            /tmp/gconfd-[^/]+
307
308       var_auth_t
309
310            /var/ace(/.*)?
311            /var/rsa(/.*)?
312            /var/lib/abl(/.*)?
313            /var/lib/rsa(/.*)?
314            /var/lib/pam_ssh(/.*)?
315            /var/lib/pam_shield(/.*)?
316            /var/opt/quest/vas/vasd(/.*)?
317            /var/lib/google-authenticator(/.*)?
318
319       wtmp_t
320
321            /var/log/wtmp.*
322
323       xferlog_t
324
325            /var/log/vsftpd.*
326            /var/log/xferlog.*
327            /var/log/proftpd(/.*)?
328            /var/log/xferreport.*
329            /var/log/muddleftpd.log.*
330            /var/log/proftpd.log
331            /usr/libexec/webmin/vsftpd/webalizer/xfer_log
332
333

FILE CONTEXTS

335       SELinux requires files to have an extended attribute to define the file
336       type.
337
338       You can see the context of a file using the -Z option to ls
339
340       Policy governs the access  confined  processes  have  to  these  files.
341       SELinux ftpd policy is very flexible allowing users to setup their ftpd
342       processes in as secure a method as possible.
343
344       STANDARD FILE CONTEXT
345
346       SELinux defines the file context types for the ftpd, if you  wanted  to
347       store  files  with  these types in a diffent paths, you need to execute
348       the semanage command to specify alternate labeling  and  then  use  re‐
349       storecon to put the labels on disk.
350
351       semanage fcontext -a -t ftpdctl_tmp_t '/srv/myftpd_content(/.*)?'
352       restorecon -R -v /srv/myftpd_content
353
354       Note:  SELinux  often  uses  regular expressions to specify labels that
355       match multiple files.
356
357       The following file types are defined for ftpd:
358
359
360
361       ftpd_etc_t
362
363       - Set files with the ftpd_etc_t type, if you want to store  ftpd  files
364       in the /etc directories.
365
366
367
368       ftpd_exec_t
369
370       - Set files with the ftpd_exec_t type, if you want to transition an ex‐
371       ecutable to the ftpd_t domain.
372
373
374       Paths:
375            /usr/sbin/ftpwho,       /usr/sbin/vsftpd,       /usr/sbin/in.ftpd,
376            /usr/sbin/proftpd,  /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
377            /etc/cron.monthly/proftpd
378
379
380       ftpd_initrc_exec_t
381
382       - Set files with the ftpd_initrc_exec_t type, if you want to transition
383       an executable to the ftpd_initrc_t domain.
384
385
386       Paths:
387            /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
388
389
390       ftpd_keytab_t
391
392       - Set files with the ftpd_keytab_t type, if you want to treat the files
393       as kerberos keytab files.
394
395
396
397       ftpd_lock_t
398
399       - Set files with the ftpd_lock_t type, if you want to treat  the  files
400       as ftpd lock data, stored under the /var/lock directory
401
402
403
404       ftpd_tmp_t
405
406       -  Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
407       rary files in the /tmp directories.
408
409
410
411       ftpd_tmpfs_t
412
413       - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
414       on a tmpfs file system.
415
416
417
418       ftpd_unit_file_t
419
420       -  Set  files  with the ftpd_unit_file_t type, if you want to treat the
421       files as ftpd unit content.
422
423
424
425       ftpd_var_run_t
426
427       - Set files with the ftpd_var_run_t type, if you want to store the ftpd
428       files under the /run or /var/run directory.
429
430
431
432       ftpdctl_exec_t
433
434       -  Set files with the ftpdctl_exec_t type, if you want to transition an
435       executable to the ftpdctl_t domain.
436
437
438
439       ftpdctl_tmp_t
440
441       - Set files with the ftpdctl_tmp_t type, if you want to  store  ftpdctl
442       temporary files in the /tmp directories.
443
444
445
446       Note:  File context can be temporarily modified with the chcon command.
447       If you want to permanently change the file context you need to use  the
448       semanage fcontext command.  This will modify the SELinux labeling data‐
449       base.  You will need to use restorecon to apply the labels.
450
451

SHARING FILES

453       If you want to share files with multiple domains (Apache,  FTP,  rsync,
454       Samba),  you can set a file context of public_content_t and public_con‐
455       tent_rw_t.  These context allow any of the above domains  to  read  the
456       content.   If  you want a particular domain to write to the public_con‐
457       tent_rw_t domain, you must set the appropriate boolean.
458
459       Allow ftpd servers to read the /var/ftpd directory by adding  the  pub‐
460       lic_content_t  file  type  to  the  directory and by restoring the file
461       type.
462
463       semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
464       restorecon -F -R -v /var/ftpd
465
466       Allow ftpd servers to read and write /var/ftpd/incoming by  adding  the
467       public_content_rw_t  type  to  the  directory and by restoring the file
468       type.  You also need to turn on the ftpd_anon_write boolean.
469
470       semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
471       restorecon -F -R -v /var/ftpd/incoming
472       setsebool -P ftpd_anon_write 1
473
474
475       If you want to determine whether ftpd can modify public files used  for
476       public  file  transfer services. Directories/Files must be labeled pub‐
477       lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
478
479       setsebool -P ftpd_anon_write 1
480
481

COMMANDS

483       semanage fcontext can also be used to manipulate default  file  context
484       mappings.
485
486       semanage  permissive  can  also  be used to manipulate whether or not a
487       process type is permissive.
488
489       semanage module can also be used to enable/disable/install/remove  pol‐
490       icy modules.
491
492       semanage port can also be used to manipulate the port definitions
493
494       semanage boolean can also be used to manipulate the booleans
495
496
497       system-config-selinux is a GUI tool available to customize SELinux pol‐
498       icy settings.
499
500

AUTHOR

502       This manual page was auto-generated using sepolicy manpage .
503
504

SEE ALSO

506       selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
507       setsebool(8)
508
509
510
511ftpd                               23-02-03                    ftpd_selinux(8)
Impressum