Solved

Fedora 9:  Selinux policy is preventing the ftp deamon from writing to apublic directory

Posted on 2008-10-19
2
1,496 Views
Last Modified: 2013-12-06
I am trying to upload a file from Windows Vista smart to my fedora server and my server is giving me the message:

SElinux AVC denial:
 Selinux policy is preventing the ftp deamon from writing to a public directory

the I am given more detailed description:

" Summary:

SELinux policy is preventing the ftp daemon from writing to a public directory.

Detailed Description:

SELinux policy is preventing the ftp daemon from writing to a public directory.
If ftpd is not setup to allow anonymous writes, this could signal a intrusion
attempt.

Allowing Access:

If the ftp daemon should be allowed to write to this directory you need to turn
on the allow_ftpd_anon_write boolean and change the file context of the public
directory to public_content_rw_t. Read the ftpd_selinux man page for further
information: "setsebool -P allow_ftpd_anon_write=1; chcon -t public_content_rw_t
"

Fix Command:

setsebool -P allow_ftpd_anon_write=1

Additional Information:

Source Context                system_u:system_r:ftpd_t:s0
Target Context                unconfined_u:object_r:public_content_t:s0
Target Objects                ./incoming [ dir ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          ftpserver
Source RPM Packages           vsftpd-2.0.6-3.fc9
Target RPM Packages          
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_ftpd_anon_write
Host Name                     ftpserver
Platform                      Linux ftpserver 2.6.25-14.fc9.i686 #1 SMP Thu May
                              1 06:28:41 EDT 2008 i686 i686
Alert Count                   472
First Seen                    Sun 19 Oct 2008 01:06:35 PM EDT
Last Seen                     Sun 19 Oct 2008 02:12:36 PM EDT
Local ID                      ba87e2e0-138c-4c42-bdf5-a34101005af8
Line Numbers                  

         
"


Where should I enable this function ?????

0
Comment
Question by:iskibinska
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 5

Expert Comment

by:ifreq
ID: 22753385
Run it from the commandline on your Fedora server as Root-user:

setsebool -P allow_ftpd_anon_write=1



setsebool(8)          SELinux Command Line documentation          setsebool(8)

NAME
       setsebool - set SELinux boolean value

SYNOPSIS
       setsebool [ -P ] boolean value | bool1=val1 bool2=val2 ...

DESCRIPTION
       setsebool  sets the current state of a particular SELinux boolean or a list of booleans to a
       given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to
       disable it.

       Without  the  -P  option,  only the current boolean value is affected; the boot-time default
       settings are not changed.

       If the -P option is given, all pending values are written to the policy  file  on  disk.  So
       they will be persistant across reboots.

AUTHOR
       This  manual  page was written by Dan Walsh <dwalsh@redhat.com>.  The program was written by
       Tresys Technology.

SEE ALSO
       getsebool(8), booleans(8), togglesebool(8)
0
 
LVL 12

Accepted Solution

by:
hfraser earned 500 total points
ID: 22754208
Be certain this is what you want to do. From a security standpoint, anonymous FTP access is usually limited to read only; write acces requires an authenticated user, both to control access to resources on your server, and to provide an audit trail for the access. Hence the standard FTP policy.

If you decide to do authenticated access, there are plenty of ways create an environment where both the Linux systems and the Windows Vista share a single user space (one set of accounts for all systems) so that you don't have to worry about managing separate accounts on different platforms.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In order for businesses to be compliant with certain information security laws in some countries, you need to be able to prove that a user (which user it was becomes important to the business to take action against the user after an event has occurr…
Creating a Samba server for a small office. Ubuntu Linux and Samba can breathe new life into a retired PC and save an office money on new hardware/software. Our example server will have two hard disks, one exclusively for storing shared data. …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question