Centos – ProFTPd and SELinux: mkdir Permission denied

centosftpnfspermissionsselinux

I have a ProFTPd server on Centos 6.3 with SELinux Enforcing. My users are virtual users in a flat file. The users are chrooted to directories mounted via NFS. I've already set the following policy:

/usr/sbin/semanage boolean -m --on allow_ftpd_use_nfs
/usr/sbin/semanage boolean -m --on allow_ftpd_anon_write

The users can read and write files without problem. However, they cannot create directories. I get this in audit.log:

type=AVC msg=audit(1364763704.972:25268): avc:  denied  { create } for  pid=2971 comm="proftpd" name="test4" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

Is there away to keep SELinux on but allow directory creation?

Best Answer

That looks like a policy error. Try adding this policy by doing the following..

Create a new directory called "localftpd"
Place the content below into a file called "localftpd.te" inside of this new directory.
Run make -f /usr/share/selinux/devel/Makefile load

This is the policy amendment you need.

policy_module(localftpd, 1.0.0)

require {
    type ftpd_t;
    type nfs_t;
}

tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write', `
    create_dirs_pattern(ftpd_t, nfs_t, nfs_t)
    delete_dirs_pattern(ftpd_t, nfs_t, nfs_t)
    rename_dirs_pattern(ftpd_t, nfs_t, nfs_t)
');

Related Solutions

Redhat Apache fast-cgi selinux permissions

Running FastCGI your way leaves a big security hole: the PHP interpreter is run as user "httpd" (at least I can't see anything about suexec here).

We have a working setup with SELinux and PHP as FastCGI here at CentOS 6, but it was really tricky to get everything working.

A few tips for the start:

you don't need to reboot to disable/enable selinux - just use the command "setenforce 0" or "setenforce 1" :)
always try to get everything working with SELinux disabled, then enable it and have a look at audit.log

Here we go:

enable suexec
change SELinux type for php.fcgi to httpd_fastcgi_script_exec_t
your FastCGI starter (php.fcgi) should not be writable by the user owning it (otherwise he can tweak many settings and limits). Give it the "immutable" flag: chattr +i php.fcgi

suexec has some trouble with FastCGI, so we have to make it permissive:

yum install policycoreutils-python
semanage permissive -a httpd_suexec_t

Good luck!

Centos 6.3 PERL CGI selinux file read access

One way is with the 'chcon' command with the following:

chcon -Rv --type=httpd_sys_content_t /var/log/trafcount

This will get you access across reboots, but not across SELinux relabelings. In the long run, I'd suggest creating a custom type and creating a rule for that in SELinux so that both /var/log and Apache can happily continue to use it.

Source: http://wiki.centos.org/HowTos/SELinux (Lots of great stuff on SELinux under CentOS in there)

Best Answer

Related Solutions

Redhat Apache fast-cgi selinux permissions

Centos 6.3 PERL CGI selinux file read access

Related Topic