Solved

Fedora 9:  Selinux policy is preventing the ftp deamon from writing to apublic directory

Posted on 2008-10-19
2
1,488 Views
Last Modified: 2013-12-06
I am trying to upload a file from Windows Vista smart to my fedora server and my server is giving me the message:

SElinux AVC denial:
 Selinux policy is preventing the ftp deamon from writing to a public directory

the I am given more detailed description:

" Summary:

SELinux policy is preventing the ftp daemon from writing to a public directory.

Detailed Description:

SELinux policy is preventing the ftp daemon from writing to a public directory.
If ftpd is not setup to allow anonymous writes, this could signal a intrusion
attempt.

Allowing Access:

If the ftp daemon should be allowed to write to this directory you need to turn
on the allow_ftpd_anon_write boolean and change the file context of the public
directory to public_content_rw_t. Read the ftpd_selinux man page for further
information: "setsebool -P allow_ftpd_anon_write=1; chcon -t public_content_rw_t
"

Fix Command:

setsebool -P allow_ftpd_anon_write=1

Additional Information:

Source Context                system_u:system_r:ftpd_t:s0
Target Context                unconfined_u:object_r:public_content_t:s0
Target Objects                ./incoming [ dir ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          ftpserver
Source RPM Packages           vsftpd-2.0.6-3.fc9
Target RPM Packages          
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_ftpd_anon_write
Host Name                     ftpserver
Platform                      Linux ftpserver 2.6.25-14.fc9.i686 #1 SMP Thu May
                              1 06:28:41 EDT 2008 i686 i686
Alert Count                   472
First Seen                    Sun 19 Oct 2008 01:06:35 PM EDT
Last Seen                     Sun 19 Oct 2008 02:12:36 PM EDT
Local ID                      ba87e2e0-138c-4c42-bdf5-a34101005af8
Line Numbers                  

         
"


Where should I enable this function ?????

0
Comment
Question by:iskibinska
2 Comments
 
LVL 5

Expert Comment

by:ifreq
Comment Utility
Run it from the commandline on your Fedora server as Root-user:

setsebool -P allow_ftpd_anon_write=1



setsebool(8)          SELinux Command Line documentation          setsebool(8)

NAME
       setsebool - set SELinux boolean value

SYNOPSIS
       setsebool [ -P ] boolean value | bool1=val1 bool2=val2 ...

DESCRIPTION
       setsebool  sets the current state of a particular SELinux boolean or a list of booleans to a
       given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to
       disable it.

       Without  the  -P  option,  only the current boolean value is affected; the boot-time default
       settings are not changed.

       If the -P option is given, all pending values are written to the policy  file  on  disk.  So
       they will be persistant across reboots.

AUTHOR
       This  manual  page was written by Dan Walsh <dwalsh@redhat.com>.  The program was written by
       Tresys Technology.

SEE ALSO
       getsebool(8), booleans(8), togglesebool(8)
0
 
LVL 12

Accepted Solution

by:
hfraser earned 500 total points
Comment Utility
Be certain this is what you want to do. From a security standpoint, anonymous FTP access is usually limited to read only; write acces requires an authenticated user, both to control access to resources on your server, and to provide an audit trail for the access. Hence the standard FTP policy.

If you decide to do authenticated access, there are plenty of ways create an environment where both the Linux systems and the Windows Vista share a single user space (one set of accounts for all systems) so that you don't have to worry about managing separate accounts on different platforms.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now