Solved

Centos 7 ProFTPD SELinux settings : How do we make the correct change to SELINUX to allow FTP users to work correctly?

Posted on 2014-11-02
11
1,782 Views
Last Modified: 2014-11-08
We are trying to setup Proftpd on a Centos 7 system.  We have ProFTPD configured to use MySQL.

We try to login with a user in the Database, and that works except that they can not list the directory.

We verified our configuration for ProFTPd, and after much checking decided to try and see if SELINUX had anything to do with our user not being able to list the directory.

[root@fd01 ~]# setenforce 0

Open in new window


[root@fd01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Open in new window


After this, we are able to list the FTP directory and upload files.

So the question is. How do we make the correct change to SELINUX to allow FTP users to work correctly?
0
Comment
Question by:FirstDirect
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
11 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 40418516
Have you tried labeling the ftp directory as type public_content_t?
sudo /usr/sbin/semanage fcontext -a -t public_content_t "/srv/myftproot/public(/.*)?"
sudo /sbin/restorecon -R -v /srv/myftproot/public

Open in new window

See the help page here: http://selinuxproject.org/page/FTPRecipes

HTH,
Dan
0
 

Author Comment

by:FirstDirect
ID: 40418523
Additional notes to the original.

When in "Permissive" mode we have write access. When in "enforcing" mode we do not.

Dan how would I do that?
my directory for where a user ftp folder will be is "/var/ftpd/xxxfolderxxx"
0
 

Author Comment

by:FirstDirect
ID: 40418526
Would we want to run something like the following?

sudo /usr/sbin/semanage boolean -m --on ftpd_connect_db

Open in new window


Since we have configured ProFTPD to use a MySql DB? And where do I run this? On the SSH command line?
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 

Author Comment

by:FirstDirect
ID: 40418535
I have seen instructions such as this.
http://serverfault.com/questions/494976/proftpd-and-selinux-mkdir-permission-denied


Would this change much if we are storing users in a mysql db?
0
 
LVL 23

Assisted Solution

by:savone
savone earned 500 total points
ID: 40418591
I would suggest looking at the audit log (/var/log/audit/audit.log) to see selinux messages.

I am not familiar with ProFTP, but I assume that is the daemon name under which it runs.  So you can grep like so:

grep -i proftp /var/log/audit/audit.log

If you see messages in there, then you can create a custom policy for selinux to allow proftp write access, like so:

grep -i proftp /var/log/audit/audit.log | audit2allow -M myproftppol

You will then have to run:

 semodule -i myproftppol.pp

Again, I would read the logs to make sure you know what you are allowing.  Also if audit2allow is not installed, you may have to install it.  It is part of the policycoreutils-python package, so:

yum install policycoreutils-python

Good luck, Selinux is great, but it can be a pain.
0
 

Author Comment

by:FirstDirect
ID: 40418597
Would you recommend simply changing SELinux to a passive mode?
0
 
LVL 23

Expert Comment

by:savone
ID: 40418610
I personally never disable SELINUX, which is basically what you will be doing with permissive mode.  Permissive mode allows the action, instead of stopping it but logs it.  Basically let's the security breach happen, but logs it.  

If you are going to admin a Linux system these days you will have to learn to use SELINUX.  Even Android has SELINUX by default now.  Did you try my above suggestion?
0
 

Author Comment

by:FirstDirect
ID: 40418619
I am going to try that when I get back to my desk. I don't have any experience creating policy's.

Is the package audit2allow a key part of making policy's?
0
 
LVL 23

Expert Comment

by:savone
ID: 40418685
It is a key part of easily making policies, yes.
0
 

Accepted Solution

by:
FirstDirect earned 0 total points
ID: 40420834
I was able to get the FTP connections to work finally after a combination of trying the above solution and the following command on SSH.

setsebool -P allow_ftpd_full_access=1

Open in new window

0
 

Author Closing Comment

by:FirstDirect
ID: 40430049
We are now able to get ProFTPd to work.
0

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question