1ftpd_selinux(8) SELinux Policy ftpd ftpd_selinux(8)
2
6 ftpd_selinux - Security Enhanced Linux Policy for the ftpd processes
7
9 Security-Enhanced Linux secures the ftpd processes via flexible manda‐
10 tory access control.
11 The ftpd processes execute with the ftpd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep ftpd_t
19
23 The ftpd_t SELinux type can be entered via the ftpd_exec_t file type.
24 The default entrypoint paths for the ftpd_t domain are the following:
26 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
28 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
29 /etc/cron.monthly/proftpd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 ftpd policy is very flexible allowing users to setup their ftpd pro‐
39 cesses in as secure a method as possible.
40 The following process types are defined for ftpd:
42 ftpd_t, ftpdctl_t
44 Note: semanage permissive -a ftpd_t can be used to make the process
46 type ftpd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. ftpd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run ftpd with the tightest access possible.
55 If you want to determine whether ftpd can connect to all unreserved
59 ports, you must turn on the ftpd_connect_all_unreserved boolean. Dis‐
60 abled by default.
61 setsebool -P ftpd_connect_all_unreserved 1
63 If you want to determine whether ftpd can connect to databases over the
67 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
68 default.
69 setsebool -P ftpd_connect_db 1
71 If you want to determine whether ftpd can login to local users and can
75 read and write all files on the system, governed by DAC, you must turn
76 on the ftpd_full_access boolean. Disabled by default.
77 setsebool -P ftpd_full_access 1
79 If you want to determine whether ftpd can use CIFS used for public file
83 transfer services, you must turn on the ftpd_use_cifs boolean. Disabled
84 by default.
85 setsebool -P ftpd_use_cifs 1
87 If you want to allow ftpd to use ntfs/fusefs volumes, you must turn on
91 the ftpd_use_fusefs boolean. Disabled by default.
92 setsebool -P ftpd_use_fusefs 1
94 If you want to determine whether ftpd can use NFS used for public file
98 transfer services, you must turn on the ftpd_use_nfs boolean. Disabled
99 by default.
100 setsebool -P ftpd_use_nfs 1
102 If you want to determine whether ftpd can bind to all unreserved ports
106 for passive mode, you must turn on the ftpd_use_passive_mode boolean.
107 Disabled by default.
108 setsebool -P ftpd_use_passive_mode 1
110 If you want to dontaudit all daemons scheduling requests (setsched,
114 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
115 Enabled by default.
116 setsebool -P daemons_dontaudit_scheduling 1
118 If you want to allow all domains to execute in fips_mode, you must turn
122 on the fips_mode boolean. Enabled by default.
123 setsebool -P fips_mode 1
125 If you want to allow confined applications to run with kerberos, you
129 must turn on the kerberos_enabled boolean. Enabled by default.
130 setsebool -P kerberos_enabled 1
132 If you want to allow system to run with NIS, you must turn on the
136 nis_enabled boolean. Disabled by default.
137 setsebool -P nis_enabled 1
139 If you want to support NFS home directories, you must turn on the
143 use_nfs_home_dirs boolean. Disabled by default.
144 setsebool -P use_nfs_home_dirs 1
146 If you want to support SAMBA home directories, you must turn on the
150 use_samba_home_dirs boolean. Disabled by default.
151 setsebool -P use_samba_home_dirs 1
153
157 SELinux defines port types to represent TCP and UDP ports.
158 You can see the types associated with a port by using the following
160 command:
161 semanage port -l
163 Policy governs the access confined processes have to these ports.
166 SELinux ftpd policy is very flexible allowing users to setup their ftpd
167 processes in as secure a method as possible.
168 The following port types are defined for ftpd:
170 ftp_data_port_t
173 Default Defined Ports:
177 tcp 20
178 ftp_port_t
181 Default Defined Ports:
185 tcp 21,989,990
186 udp 989,990
187
189 The SELinux process type ftpd_t can manage files labeled with the fol‐
190 lowing file types. The paths listed are the default paths for these
191 file types. Note the processes UID still need to have DAC permissions.
192 cifs_t
194 cluster_conf_t
197 /etc/cluster(/.*)?
199 cluster_var_lib_t
201 /var/lib/pcsd(/.*)?
203 /var/lib/cluster(/.*)?
204 /var/lib/openais(/.*)?
205 /var/lib/pengine(/.*)?
206 /var/lib/corosync(/.*)?
207 /usr/lib/heartbeat(/.*)?
208 /var/lib/heartbeat(/.*)?
209 /var/lib/pacemaker(/.*)?
210 cluster_var_run_t
212 /var/run/crm(/.*)?
214 /var/run/cman_.*
215 /var/run/rsctmp(/.*)?
216 /var/run/aisexec.*
217 /var/run/heartbeat(/.*)?
218 /var/run/pcsd-ruby.socket
219 /var/run/corosync-qnetd(/.*)?
220 /var/run/corosync-qdevice(/.*)?
221 /var/run/corosync.pid
222 /var/run/cpglockd.pid
223 /var/run/rgmanager.pid
224 /var/run/cluster/rgmanager.sk
225 faillog_t
227 /var/log/btmp.*
229 /var/log/faillog.*
230 /var/log/tallylog.*
231 /var/run/faillock(/.*)?
232 ftpd_lock_t
234 /var/lock/subsys/*.ftpd
236 ftpd_tmp_t
238 ftpd_tmpfs_t
241 ftpd_var_run_t
244 /var/run/proftpd.*
246 fusefs_t
248 /var/run/user/[0-9]+/gvfs
250 httpd_user_content_t
252 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
254 initrc_var_run_t
256 /var/run/utmp
258 /var/run/random-seed
259 /var/run/runlevel.dir
260 /var/run/setmixer_flag
261 krb5_host_rcache_t
263 /var/tmp/krb5_0.rcache2
265 /var/cache/krb5rcache(/.*)?
266 /var/tmp/nfs_0
267 /var/tmp/DNS_25
268 /var/tmp/host_0
269 /var/tmp/imap_0
270 /var/tmp/HTTP_23
271 /var/tmp/HTTP_48
272 /var/tmp/ldap_55
273 /var/tmp/ldap_487
274 /var/tmp/ldapmap1_0
275 lastlog_t
277 /var/log/lastlog.*
279 nfs_t
281 non_security_file_type
284 root_t
287 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
289 /
290 /initrd
291 security_t
293 /selinux
295 user_home_t
297 /home/[^/]+/.+
299 user_tmp_t
301 /dev/shm/mono.*
303 /var/run/user/[^/]+
304 /tmp/.ICE-unix(/.*)?
305 /tmp/.X11-unix(/.*)?
306 /dev/shm/pulse-shm.*
307 /tmp/.X0-lock
308 /var/run/user
309 /tmp/hsperfdata_root
310 /var/tmp/hsperfdata_root
311 /home/[^/]+/tmp
312 /home/[^/]+/.tmp
313 /var/run/user/[0-9]+
314 /tmp/gconfd-[^/]+
315 var_auth_t
317 /var/ace(/.*)?
319 /var/rsa(/.*)?
320 /var/lib/abl(/.*)?
321 /var/lib/rsa(/.*)?
322 /var/lib/pam_ssh(/.*)?
323 /var/lib/pam_shield(/.*)?
324 /var/opt/quest/vas/vasd(/.*)?
325 /var/lib/google-authenticator(/.*)?
326 wtmp_t
328 /var/log/wtmp.*
330 xferlog_t
332 /var/log/vsftpd.*
334 /var/log/xferlog.*
335 /var/log/proftpd(/.*)?
336 /var/log/xferreport.*
337 /var/log/muddleftpd.log.*
338 /var/log/proftpd.log
339 /usr/libexec/webmin/vsftpd/webalizer/xfer_log
340
343 SELinux requires files to have an extended attribute to define the file
344 type.
345 You can see the context of a file using the -Z option to ls
347 Policy governs the access confined processes have to these files.
349 SELinux ftpd policy is very flexible allowing users to setup their ftpd
350 processes in as secure a method as possible.
351 STANDARD FILE CONTEXT
353 SELinux defines the file context types for the ftpd, if you wanted to
355 store files with these types in a different paths, you need to execute
356 the semanage command to specify alternate labeling and then use re‐
357 storecon to put the labels on disk.
358 semanage fcontext -a -t ftpd_exec_t '/srv/ftpd/content(/.*)?'
360 restorecon -R -v /srv/myftpd_content
361 Note: SELinux often uses regular expressions to specify labels that
363 match multiple files.
364 The following file types are defined for ftpd:
366 ftpd_etc_t
370 - Set files with the ftpd_etc_t type, if you want to store ftpd files
372 in the /etc directories.
373 ftpd_exec_t
377 - Set files with the ftpd_exec_t type, if you want to transition an ex‐
379 ecutable to the ftpd_t domain.
380 Paths:
383 /usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in.ftpd,
384 /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd,
385 /etc/cron.monthly/proftpd
386 ftpd_initrc_exec_t
389 - Set files with the ftpd_initrc_exec_t type, if you want to transition
391 an executable to the ftpd_initrc_t domain.
392 Paths:
395 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd
396 ftpd_keytab_t
399 - Set files with the ftpd_keytab_t type, if you want to treat the files
401 as kerberos keytab files.
402 ftpd_lock_t
406 - Set files with the ftpd_lock_t type, if you want to treat the files
408 as ftpd lock data, stored under the /var/lock directory
409 ftpd_tmp_t
413 - Set files with the ftpd_tmp_t type, if you want to store ftpd tempo‐
415 rary files in the /tmp directories.
416 ftpd_tmpfs_t
420 - Set files with the ftpd_tmpfs_t type, if you want to store ftpd files
422 on a tmpfs file system.
423 ftpd_unit_file_t
427 - Set files with the ftpd_unit_file_t type, if you want to treat the
429 files as ftpd unit content.
430 Paths:
433 /usr/lib/systemd/system/vsftpd.*, /usr/lib/systemd/sys‐
434 tem/proftpd.*
435 ftpd_var_run_t
438 - Set files with the ftpd_var_run_t type, if you want to store the ftpd
440 files under the /run or /var/run directory.
441 ftpdctl_exec_t
445 - Set files with the ftpdctl_exec_t type, if you want to transition an
447 executable to the ftpdctl_t domain.
448 ftpdctl_tmp_t
452 - Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl
454 temporary files in the /tmp directories.
455 Note: File context can be temporarily modified with the chcon command.
459 If you want to permanently change the file context you need to use the
460 semanage fcontext command. This will modify the SELinux labeling data‐
461 base. You will need to use restorecon to apply the labels.
462
465 If you want to share files with multiple domains (Apache, FTP, rsync,
466 Samba), you can set a file context of public_content_t and public_con‐
467 tent_rw_t. These context allow any of the above domains to read the
468 content. If you want a particular domain to write to the public_con‐
469 tent_rw_t domain, you must set the appropriate boolean.
470 Allow ftpd servers to read the /var/ftpd directory by adding the pub‐
472 lic_content_t file type to the directory and by restoring the file
473 type.
474 semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
476 restorecon -F -R -v /var/ftpd
477 Allow ftpd servers to read and write /var/ftpd/incoming by adding the
479 public_content_rw_t type to the directory and by restoring the file
480 type. You also need to turn on the ftpd_anon_write boolean.
481 semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
483 restorecon -F -R -v /var/ftpd/incoming
484 setsebool -P ftpd_anon_write 1
485 If you want to determine whether ftpd can modify public files used for
488 public file transfer services. Directories/Files must be labeled pub‐
489 lic_content_rw_t., you must turn on the ftpd_anon_write boolean.
490 setsebool -P ftpd_anon_write 1
492
495 semanage fcontext can also be used to manipulate default file context
496 mappings.
497 semanage permissive can also be used to manipulate whether or not a
499 process type is permissive.
500 semanage module can also be used to enable/disable/install/remove pol‐
502 icy modules.
503 semanage port can also be used to manipulate the port definitions
505 semanage boolean can also be used to manipulate the booleans
507 system-config-selinux is a GUI tool available to customize SELinux pol‐
510 icy settings.
511
514 This manual page was auto-generated using sepolicy manpage .
515
518 selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
519 setsebool(8)
520ftpd 23-10-20 ftpd_selinux(8)