1ftpd_selinux(8) ftpd Selinux Policy documentation ftpd_selinux(8)
2
3
4
6 ftpd_selinux - Security Enhanced Linux Policy for the ftp daemon
7
9 Security-Enhanced Linux secures the ftpd server via flexible mandatory
10 access control.
11
13 SELinux requires files to have an extended attribute to define the file
14 type. Policy governs the access daemons have to these files. If you
15 want to share files anonymously, you must label the files and directo‐
16 ries public_content_t. So if you created a special directory /var/ftp,
17 you would need to label the directory with the chcon tool.
18
19 chcon -R -t public_content_t /var/ftp
20
21 If you want to setup a directory where you can upload files to you must
22 label the files and directories public_content_rw_t. So if you created
23 a special directory /var/ftp/incoming, you would need to label the
24 directory with the chcon tool.
25
26 chcon -t public_content_rw_t /var/ftp/incoming
27
28 You must also turn on the boolean allow_ftpd_anon_write.
29
30 setsebool -P allow_ftpd_anon_write=1
31
32 If you want to make this permanant, i.e. survive a relabel, you must
33 add an entry to the file_contexts.local file.
34
35 /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
36 /var/ftp(/.*)? system_u:object_r:public_content_t
37 /var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
38
39
41 SELinux ftp daemon policy is customizable based on least access
42 required. So by default SElinux does not allow users to login and read
43 their home directories.
44 If you are setting up this machine as a ftpd server and wish to allow
45 users to access their home directorories, you need to set the
46 ftp_home_dir boolean.
47
48 setsebool -P ftp_home_dir 1
49
50 ftpd can run either as a standalone daemon or as part of the xinetd
51 domain. If you want to run ftpd as a daemon you must set the
52 ftpd_is_daemon boolean.
53
54 setsebool -P ftpd_is_daemon 1
55 service vsftpd restart
56
57 system-config-selinux is a GUI tool available to customize SELinux pol‐
58 icy settings.
59
61 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
62
63
65 selinux(8), ftpd(8), chcon(1), setsebool(8)
66
67
68
69
70
71dwalsh@redhat.com 17 Jan 2005 ftpd_selinux(8)