Re: Setting SELinux for vsftpd - SOLVED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Haney wrote:
> Mark Haney wrote:
>> I've got a server that we use to do speed testing of our upstreams (and
>> customers links) using FTP.  This is a fresh F10 install and I'm getting
>> what seems to be a very common selinux ftp error (226 Failed to open
>> directory). I've googled up a couple of forum posts on how to fix it,
>> but most say just to disable selinux.  That I'd not like to do.
>> However, one of the options says to do this:
>>
>> setsebool -P ftpd_disable_trans 1
>>
>> But I get an error:
>>
>> [root@noc5 speedtest]# setsebool -P ftpd_disable_trans 1
>> libsemanage.dbase_llist_set: record not found in the database
>> libsemanage.dbase_llist_set: could not set record value
>> Could not change boolean ftpd_disable_trans
>> Could not change policy booleans
>>
>> I have seen the GUI method of doing this, but since I don't run X on
>> this server that's not much help.  What's the correct method of setting
>> selinux up for this?
>>
>>
> 
> For anyone who wants to know.  The correct option (which, btw, took me
> down deep into google to find) is this:
> 
> setsebool -P ftp_home_dir 1
> 
> It's amazing to me that this isn't set up by default on a fresh install
> with ftp as one of the installed packages.
> 
> 
man ftpd_selinux

explains a lot of this.

The reason that this is not on by default is that most ftp sites are
used to share anonymous ftp information, so there is not reason for ftp
to read users home directories.  This allows us to protect the users
home directories even if ftp becomes compromised.

You could also take the error output in /var/log/audit/audit.log and
pipe it to audit2why and it should have told you which boolean to set.

Finally if you were running setroubleshoot it might also give you the
right answer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkljsp0ACgkQrlYvE4MpobPQLwCg2ww2+lKZqrDVhC/ipC5qm+wW
OiAAoKrduGgC7uVwlOwrpx1rnwi7fXjJ
=zCN4
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux