Whilst using vsftpd in chroot'ed mode for non-anonymous usage, I've found that I appear to have to add this to my SELinux strict policy: allow ftpd_t self:capability { dac_override dac_read_search }; or possibly just this: allow ftpd_t self:capability { dac_read_search }; Without at least the dac_read_search, an ftp login always seems to fail. The description of these "dac" permissions on Tresys' site suggests to me that vsftpd is being too "greedy" in requiring these permissions to chroot successfully. Since anonymous ftp with SELinux surely works Ok without this capability, (or too many other people would have complained ), does this mean that the correct fix for this is a minor rewrite to vsftpd, rather than a change in SELinux policy? My current ftpd/SELinux/chroot related configuration: $ sudo grep ftp /etc/selinux/strict/booleans ftpd_is_daemon=1 ftp_home_dir=1 $ $ sudo grep chroot /etc/vsftpd/vsftpd.conf | grep -v "^#" chroot_list_enable=YES passwd_chroot_enable=YES chroot_list_file=/etc/vsftpd/vsftpd.chroot_user_list userlist_file=/etc/vsftpd/vsftpd.chroot_user_list $ -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list