Solved

Centos 7 ProFTPD SELinux settings : How do we make the correct change to SELINUX to allow FTP users to work correctly?

Posted on 2014-11-02
11
1,444 Views
Last Modified: 2014-11-08
We are trying to setup Proftpd on a Centos 7 system.  We have ProFTPD configured to use MySQL.

We try to login with a user in the Database, and that works except that they can not list the directory.

We verified our configuration for ProFTPd, and after much checking decided to try and see if SELINUX had anything to do with our user not being able to list the directory.

[root@fd01 ~]# setenforce 0

Open in new window


[root@fd01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Open in new window


After this, we are able to list the FTP directory and upload files.

So the question is. How do we make the correct change to SELINUX to allow FTP users to work correctly?
0
Comment
Question by:FirstDirect
  • 7
  • 3
11 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40418516
Have you tried labeling the ftp directory as type public_content_t?
sudo /usr/sbin/semanage fcontext -a -t public_content_t "/srv/myftproot/public(/.*)?"
sudo /sbin/restorecon -R -v /srv/myftproot/public

Open in new window

See the help page here: http://selinuxproject.org/page/FTPRecipes

HTH,
Dan
0
 

Author Comment

by:FirstDirect
ID: 40418523
Additional notes to the original.

When in "Permissive" mode we have write access. When in "enforcing" mode we do not.

Dan how would I do that?
my directory for where a user ftp folder will be is "/var/ftpd/xxxfolderxxx"
0
 

Author Comment

by:FirstDirect
ID: 40418526
Would we want to run something like the following?

sudo /usr/sbin/semanage boolean -m --on ftpd_connect_db

Open in new window


Since we have configured ProFTPD to use a MySql DB? And where do I run this? On the SSH command line?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:FirstDirect
ID: 40418535
I have seen instructions such as this.
http://serverfault.com/questions/494976/proftpd-and-selinux-mkdir-permission-denied


Would this change much if we are storing users in a mysql db?
0
 
LVL 23

Assisted Solution

by:savone
savone earned 500 total points
ID: 40418591
I would suggest looking at the audit log (/var/log/audit/audit.log) to see selinux messages.

I am not familiar with ProFTP, but I assume that is the daemon name under which it runs.  So you can grep like so:

grep -i proftp /var/log/audit/audit.log

If you see messages in there, then you can create a custom policy for selinux to allow proftp write access, like so:

grep -i proftp /var/log/audit/audit.log | audit2allow -M myproftppol

You will then have to run:

 semodule -i myproftppol.pp

Again, I would read the logs to make sure you know what you are allowing.  Also if audit2allow is not installed, you may have to install it.  It is part of the policycoreutils-python package, so:

yum install policycoreutils-python

Good luck, Selinux is great, but it can be a pain.
0
 

Author Comment

by:FirstDirect
ID: 40418597
Would you recommend simply changing SELinux to a passive mode?
0
 
LVL 23

Expert Comment

by:savone
ID: 40418610
I personally never disable SELINUX, which is basically what you will be doing with permissive mode.  Permissive mode allows the action, instead of stopping it but logs it.  Basically let's the security breach happen, but logs it.  

If you are going to admin a Linux system these days you will have to learn to use SELINUX.  Even Android has SELINUX by default now.  Did you try my above suggestion?
0
 

Author Comment

by:FirstDirect
ID: 40418619
I am going to try that when I get back to my desk. I don't have any experience creating policy's.

Is the package audit2allow a key part of making policy's?
0
 
LVL 23

Expert Comment

by:savone
ID: 40418685
It is a key part of easily making policies, yes.
0
 

Accepted Solution

by:
FirstDirect earned 0 total points
ID: 40420834
I was able to get the FTP connections to work finally after a combination of trying the above solution and the following command on SSH.

setsebool -P allow_ftpd_full_access=1

Open in new window

0
 

Author Closing Comment

by:FirstDirect
ID: 40430049
We are now able to get ProFTPd to work.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question