57 lines
2.2 KiB
Groff
57 lines
2.2 KiB
Groff
|
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
|
||
|
.SH "NAME"
|
||
|
ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
|
||
|
.SH "DESCRIPTION"
|
||
|
|
||
|
Security-Enhanced Linux secures the ftpd server via flexible mandatory access
|
||
|
control.
|
||
|
.SH FILE_CONTEXTS
|
||
|
SELinux requires files to have an extended attribute to define the file type.
|
||
|
Policy governs the access daemons have to these files.
|
||
|
If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
|
||
|
.TP
|
||
|
chcon -R -t public_content_t /var/ftp
|
||
|
.TP
|
||
|
If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
|
||
|
.TP
|
||
|
chcon -t public_content_rw_t /var/ftp/incoming
|
||
|
.TP
|
||
|
You must also turn on the boolean allow_ftp_anon_write.
|
||
|
.TP
|
||
|
setsebool -P allow_ftp_anon_write=1
|
||
|
.TP
|
||
|
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
|
||
|
.TP
|
||
|
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
||
|
.br
|
||
|
/var/ftp(/.*)? system_u:object_r:public_content_t
|
||
|
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
|
||
|
|
||
|
.SH BOOLEANS
|
||
|
SELinux ftp daemon policy is customizable based on least access required. So by
|
||
|
default SElinux does not allow users to login and read their home directories.
|
||
|
.br
|
||
|
If you are setting up this machine as a ftpd server and wish to allow users to access their home
|
||
|
directorories, you need to set the ftp_home_dir boolean.
|
||
|
.TP
|
||
|
setsebool -P ftp_home_dir 1
|
||
|
.TP
|
||
|
ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
|
||
|
.TP
|
||
|
setsebool -P ftpd_is_daemon 1
|
||
|
.TP
|
||
|
You can disable SELinux protection for the ftpd daemon by executing:
|
||
|
.TP
|
||
|
setsebool -P ftpd_disable_trans 1
|
||
|
.br
|
||
|
service vsftpd restart
|
||
|
.TP
|
||
|
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
||
|
.SH AUTHOR
|
||
|
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||
|
|
||
|
.SH "SEE ALSO"
|
||
|
selinux(8), ftpd(8), chcon(1), setsebool(8)
|
||
|
|
||
|
|