Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Centos 7 ProFTPD SELinux settings : How do we make the correct change to SELINUX to allow FTP users to work correctly?

Posted on 2014-11-02
11
Medium Priority
?
2,109 Views
Last Modified: 2014-11-08
We are trying to setup Proftpd on a Centos 7 system.  We have ProFTPD configured to use MySQL.

We try to login with a user in the Database, and that works except that they can not list the directory.

We verified our configuration for ProFTPd, and after much checking decided to try and see if SELINUX had anything to do with our user not being able to list the directory.

[root@fd01 ~]# setenforce 0

Open in new window


[root@fd01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Open in new window


After this, we are able to list the FTP directory and upload files.

So the question is. How do we make the correct change to SELINUX to allow FTP users to work correctly?
0
Comment
Question by:FirstDirect
  • 7
  • 3
11 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 40418516
Have you tried labeling the ftp directory as type public_content_t?
sudo /usr/sbin/semanage fcontext -a -t public_content_t "/srv/myftproot/public(/.*)?"
sudo /sbin/restorecon -R -v /srv/myftproot/public

Open in new window

See the help page here: http://selinuxproject.org/page/FTPRecipes

HTH,
Dan
0
 

Author Comment

by:FirstDirect
ID: 40418523
Additional notes to the original.

When in "Permissive" mode we have write access. When in "enforcing" mode we do not.

Dan how would I do that?
my directory for where a user ftp folder will be is "/var/ftpd/xxxfolderxxx"
0
 

Author Comment

by:FirstDirect
ID: 40418526
Would we want to run something like the following?

sudo /usr/sbin/semanage boolean -m --on ftpd_connect_db

Open in new window


Since we have configured ProFTPD to use a MySql DB? And where do I run this? On the SSH command line?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:FirstDirect
ID: 40418535
I have seen instructions such as this.
http://serverfault.com/questions/494976/proftpd-and-selinux-mkdir-permission-denied


Would this change much if we are storing users in a mysql db?
0
 
LVL 23

Assisted Solution

by:savone
savone earned 2000 total points
ID: 40418591
I would suggest looking at the audit log (/var/log/audit/audit.log) to see selinux messages.

I am not familiar with ProFTP, but I assume that is the daemon name under which it runs.  So you can grep like so:

grep -i proftp /var/log/audit/audit.log

If you see messages in there, then you can create a custom policy for selinux to allow proftp write access, like so:

grep -i proftp /var/log/audit/audit.log | audit2allow -M myproftppol

You will then have to run:

 semodule -i myproftppol.pp

Again, I would read the logs to make sure you know what you are allowing.  Also if audit2allow is not installed, you may have to install it.  It is part of the policycoreutils-python package, so:

yum install policycoreutils-python

Good luck, Selinux is great, but it can be a pain.
0
 

Author Comment

by:FirstDirect
ID: 40418597
Would you recommend simply changing SELinux to a passive mode?
0
 
LVL 23

Expert Comment

by:savone
ID: 40418610
I personally never disable SELINUX, which is basically what you will be doing with permissive mode.  Permissive mode allows the action, instead of stopping it but logs it.  Basically let's the security breach happen, but logs it.  

If you are going to admin a Linux system these days you will have to learn to use SELINUX.  Even Android has SELINUX by default now.  Did you try my above suggestion?
0
 

Author Comment

by:FirstDirect
ID: 40418619
I am going to try that when I get back to my desk. I don't have any experience creating policy's.

Is the package audit2allow a key part of making policy's?
0
 
LVL 23

Expert Comment

by:savone
ID: 40418685
It is a key part of easily making policies, yes.
0
 

Accepted Solution

by:
FirstDirect earned 0 total points
ID: 40420834
I was able to get the FTP connections to work finally after a combination of trying the above solution and the following command on SSH.

setsebool -P allow_ftpd_full_access=1

Open in new window

0
 

Author Closing Comment

by:FirstDirect
ID: 40430049
We are now able to get ProFTPd to work.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month6 days, 22 hours left to enroll

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question