I've set up vsftpd on my Fedora 12 server, and I'd like to have the following configuration. Each user should have access to:
- his home directory (/home/USER);
- the web directory I created for him (/web/USER).
To achieve this, I first configured vsftpd to chroot each user to his home directory. Then, I created /web/USER
with the correct permissions, and used mount --bind /web/USER /home/USER/Web
so that the user may have access to /web/USER
through /home/USER/Web
.
I also turned on the SELinux boolean ftp_home_dir
so that vsftpd is allowed to write in users' home directories.
This works very well, except that when a user tries to upload or rename a file in /home/USER/Web
, SELinux forbids it because the change must also be done to /web/USER
, and SELinux doesn't give vsftpd permission to write anything to that directory.
I know that I could solve the problem by turning on the SELinux boolean allow_ftpd_full_access
, or ftpd_disable_trans
. I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t
; this is equivalent to turning on allow_ftpd_full_access
, if I understood it correctly.
I'd like to know if it's possible to configure SELinux to allow FTP write access to the specific directory /web/USER
and its contents, instead of disabling SELinux's FTP controls entirely.
Best Answer
Be sure to include the
(/.*)?
at the end of the directory name.Essentially, yes; since SELinux allows directories/files labeled with
public_content_t
to be shared between different services. However, further access control is in place through the use ofsebooleans
(orsebool
, more precisely).Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning,
ftpd
is allowed to read files if the directory's file context (fcontext
) ispublic_content_t
. SELinux gives write permissions to the ftp server if the directory's fcontext ispublic_content_rw_t
; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelledpublic_content_t
, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with thepublic_content_rw_t
context, and removing your custom generated local policy.For further information and details, please see the SELinux wiki pages.