Re: How can I protect a service by SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jason,

For "vsftpd" service we have ftpd_t SELinux policy by default shipped in
distribution SELinux policy on all currently supported Fedoras.

To confirm that vsftpd is confined by SELinux you could execute:

# ps -efZ | grep vsftpd
system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 1109  1  0 08:39 ?
00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1112 919  0
08:39 pts/0 00:00:00 grep --color=auto vsftpd

Please see that vsftpd with pid (in my case) 1109 is running under
"system_u:system_r:ftpd_t:s0-s0:c0.c1023" where the important part is
"ftpd_t". So this process is confined by SELinux and ftpd policy is used.

I tried to start "vsftpd" on my Fedora 30 system and service started
without any issue with SELinux in enforcing state.

Could you please try to start vsftpd:
# systemctl start vsftpd

and then attach output of:
# ausearch -m AVC -ts boot

Thanks,
Lukas.

On 8/12/19 7:47 AM, Jason Long wrote:
> Hello,
> I installed "vsftpd" service, but by default SELinux blocked it. I
> changed SELinux configuration by "setsebool -P ftpd_full_access 1", but
> I guess its mean that SELinux can't protect my "vsftpd" service. How can
> I use "vsftpd" service with SELinux enabled?
> 
> Thanks.
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux