1ftpd_selinux(8)        ftpd Selinux Policy documentation       ftpd_selinux(8)
2
3
4

NAME

6       ftpd_selinux - Security Enhanced Linux Policy for the ftp daemon
7

DESCRIPTION

9       Security-Enhanced  Linux secures the ftpd server via flexible mandatory
10       access control.
11

FILE_CONTEXTS

13       SELinux requires files to have an extended attribute to define the file
14       type.   Policy  governs the access daemons have to these files.  If you
15       want to share files anonymously, you must label the files and  directo‐
16       ries public_content_t.  So if you created a special directory /var/ftp,
17       you would need to label the directory with the chcon tool.
18
19       chcon -R -t public_content_t /var/ftp
20
21       If you want to setup a directory where you can upload files to you must
22       label the files and directories public_content_rw_t.  So if you created
23       a special directory /var/ftp/incoming, you  would  need  to  label  the
24       directory with the chcon tool.
25
26       chcon -t public_content_rw_t /var/ftp/incoming
27
28       You must also turn on the boolean allow_ftpd_anon_write.
29
30       setsebool -P allow_ftpd_anon_write=1
31
32       If  you  want  to make this permanant, i.e. survive a relabel, you must
33       add an entry to the file_contexts.local file.
34
35       /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
36              /var/ftp(/.*)?                system_u:object_r:public_content_t
37              /var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
38
39

BOOLEANS

41       SELinux  ftp  daemon  policy  is  customizable  based  on  least access
42       required.  So by default SElinux does not allow users to login and read
43       their home directories.
44       If  you  are setting up this machine as a ftpd server and wish to allow
45       users  to  access  their  home  directorories,  you  need  to  set  the
46       ftp_home_dir boolean.
47
48       setsebool -P ftp_home_dir 1
49
50       ftpd  can  run  either  as a standalone daemon or as part of the xinetd
51       domain.  If you want  to  run  ftpd  as  a  daemon  you  must  set  the
52       ftpd_is_daemon boolean.
53
54       setsebool -P ftpd_is_daemon 1
55              service vsftpd restart
56
57       system-config-selinux is a GUI tool available to customize SELinux pol‐
58       icy settings.
59

AUTHOR

61       This manual page was written by Dan Walsh <dwalsh@redhat.com>.
62
63

SEE ALSO

65       selinux(8), ftpd(8), chcon(1), setsebool(8)
66
67
68
69
70
71dwalsh@redhat.com                 17 Jan 2005                  ftpd_selinux(8)
Impressum