RE: Allowing vsftpd access for user's home directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 
Hello,

Tried that as well, I am using ~/selinux/local
After the change by chcon

# ls -Z ~/selinux
drwxr-xr-x  root     root     user_u:object_r:usr_t            local

# ls -Z ~/selinux/local
-rw-r--r--  root     root     user_u:object_r:usr_t            local.mod
-rw-r--r--  root     root     user_u:object_r:usr_t            local.pp
-rw-r--r--  root     root     user_u:object_r:usr_t            local.te

# semodule -i local.pp
libsemanage.semanage_commit_sandbox: Could not remove previous backup
/etc/selinux/targeted/modules/previous.

In fact I have now solved the issue.
It involves enabling the boolean as you suggested before :

# setsebool -P ftp_home_dir 1
# setsebool -P ftpd_is_daemon 1

Plus, changing the corresponding user home directory ACL to be less
restrictive than 0700 -> 0755
( thanks to Thomas Bleher for the hint )

-- 
Best regards,
 
Ketut Mahaindra (Ito)
"The race for perfection has no finish line"
 

-----Original Message-----
From: Paul Howarth
Sent: Thursday, May 11, 2006 2:53 PM
To: Ketut Mahaindra
Cc: fedora-selinux-list@xxxxxxxxxx
Subject: RE: Allowing vsftpd access for user's home directory

On Thu, 2006-05-11 at 14:32 +0800, Ketut Mahaindra wrote:
>  Hello,
> 
> I tried your suggestion in conjunction with the FC5 SELinux FAQ:
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2958106
> 
> So, I did the following
> # audit2allow -m local -l -i /var/log/audit/audit.log
> 
> Which give me something like:
> 
> module local 1.0;
> require {
>         class capability { dac_override dac_read_search };
> 
>         type ftpd_t;
> };
> allow ftpd_t self:capability { dac_override dac_read_search };
> 
> So, naturally I want it to be inside a file for compilation.
> Then I did:
> 
> # audit2allow -m local -l -i /var/log/audit/audit.log > local.te
> # checkmodule -M -m -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
> 
> But, on that last step I get an error message "semodule:  Could not read
> file 'local.pp':"
> It's strange, because the file local.pp is created normally by the
> semodule_package command.
> 
> Did I miss anything?

Try this:

Move the files you've used for this process (the .te/.pp files etc.) to
a new, empty directory (I used /root/selinux.local) and change to that
directory. Then do:

# chcon -Rh -t usr_t .

Then try the semanage command again.

Paul.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux