Re: Setting SELinux for vsftpd - SOLVED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Haney wrote: Mark Haney wrote: I've got a server that we use to do speed testing of our upstreams (and customers links) using FTP. This is a fresh F10 install and I'm getting what seems to be a very common selinux ftp error (226 Failed to open directory). I've googled up a couple of forum posts on how to fix it, but most say just to disable selinux. That I'd not like to do. However, one of the options says to do this: setsebool -P ftpd_disable_trans 1 But I get an error: [r...@noc5 speedtest]# setsebool -P ftpd_disable_trans 1 libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean ftpd_disable_trans Could not change policy booleans I have seen the GUI method of doing this, but since I don't run X on this server that's not much help. What's the correct method of setting selinux up for this? For anyone who wants to know. The correct option (which, btw, took me down deep into google to find) is this: setsebool -P ftp_home_dir 1 It's amazing to me that this isn't set up by default on a fresh install with ftp as one of the installed packages. man ftpd_selinux explains a lot of this. The reason that this is not on by default is that most ftp sites are used to share anonymous ftp information, so there is not reason for ftp to read users home directories. This allows us to protect the users home directories even if ftp becomes compromised. You could also take the error output in /var/log/audit/audit.log and pipe it to audit2why and it should have told you which boolean to set. Finally if you were running setroubleshoot it might also give you the right answer. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkljsp0ACgkQrlYvE4MpobPQLwCg2ww2+lKZqrDVhC/ipC5qm+wW OiAAoKrduGgC7uVwlOwrpx1rnwi7fXjJ =zCN4 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting SELinux for vsftpd - SOLVED
On Tue, 2009-01-06 at 13:45 -0500, Mark Haney wrote: It's amazing to me that this isn't set up by default on a fresh install with ftp as one of the installed packages. This isn't Windows, where too much is allowed by default. It's had an extremely crap security model from day one, Linux isn't about to make the same mistakes. -- [...@localhost ~]$ uname -r 2.6.27.9-73.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting SELinux for vsftpd - SOLVED
On Tue, 2009-01-06 at 13:45 -0500, Mark Haney wrote: Mark Haney wrote: I've got a server that we use to do speed testing of our upstreams (and customers links) using FTP. This is a fresh F10 install and I'm getting what seems to be a very common selinux ftp error (226 Failed to open directory). I've googled up a couple of forum posts on how to fix it, but most say just to disable selinux. That I'd not like to do. However, one of the options says to do this: setsebool -P ftpd_disable_trans 1 But I get an error: [r...@noc5 speedtest]# setsebool -P ftpd_disable_trans 1 libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean ftpd_disable_trans Could not change policy booleans I have seen the GUI method of doing this, but since I don't run X on this server that's not much help. What's the correct method of setting selinux up for this? For anyone who wants to know. The correct option (which, btw, took me down deep into google to find) is this: setsebool -P ftp_home_dir 1 It's amazing to me that this isn't set up by default on a fresh install with ftp as one of the installed packages. You seem bent on drawing far reaching conclusions from your expectations. FWIW, neither samba nor http will enable SELinux permissions for home folders served out of the box...I would suspect that they are far more common. I suppose that the intent is to provide a secured setup and leave it as an exercise to the system owner/operator to lower the protection barriers as they choose. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
