Solved

Centos 7 ProFTPD SELinux settings : How do we make the correct change to SELINUX to allow FTP users to work correctly?

Posted on 2014-11-02
11
1,287 Views
Last Modified: 2014-11-08
We are trying to setup Proftpd on a Centos 7 system.  We have ProFTPD configured to use MySQL.

We try to login with a user in the Database, and that works except that they can not list the directory.

We verified our configuration for ProFTPd, and after much checking decided to try and see if SELINUX had anything to do with our user not being able to list the directory.

[root@fd01 ~]# setenforce 0

Open in new window


[root@fd01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Open in new window


After this, we are able to list the FTP directory and upload files.

So the question is. How do we make the correct change to SELINUX to allow FTP users to work correctly?
0
Comment
Question by:FirstDirect
  • 7
  • 3
11 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
Comment Utility
Have you tried labeling the ftp directory as type public_content_t?
sudo /usr/sbin/semanage fcontext -a -t public_content_t "/srv/myftproot/public(/.*)?"
sudo /sbin/restorecon -R -v /srv/myftproot/public

Open in new window

See the help page here: http://selinuxproject.org/page/FTPRecipes

HTH,
Dan
0
 

Author Comment

by:FirstDirect
Comment Utility
Additional notes to the original.

When in "Permissive" mode we have write access. When in "enforcing" mode we do not.

Dan how would I do that?
my directory for where a user ftp folder will be is "/var/ftpd/xxxfolderxxx"
0
 

Author Comment

by:FirstDirect
Comment Utility
Would we want to run something like the following?

sudo /usr/sbin/semanage boolean -m --on ftpd_connect_db

Open in new window


Since we have configured ProFTPD to use a MySql DB? And where do I run this? On the SSH command line?
0
 

Author Comment

by:FirstDirect
Comment Utility
I have seen instructions such as this.
http://serverfault.com/questions/494976/proftpd-and-selinux-mkdir-permission-denied


Would this change much if we are storing users in a mysql db?
0
 
LVL 23

Assisted Solution

by:savone
savone earned 500 total points
Comment Utility
I would suggest looking at the audit log (/var/log/audit/audit.log) to see selinux messages.

I am not familiar with ProFTP, but I assume that is the daemon name under which it runs.  So you can grep like so:

grep -i proftp /var/log/audit/audit.log

If you see messages in there, then you can create a custom policy for selinux to allow proftp write access, like so:

grep -i proftp /var/log/audit/audit.log | audit2allow -M myproftppol

You will then have to run:

 semodule -i myproftppol.pp

Again, I would read the logs to make sure you know what you are allowing.  Also if audit2allow is not installed, you may have to install it.  It is part of the policycoreutils-python package, so:

yum install policycoreutils-python

Good luck, Selinux is great, but it can be a pain.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:FirstDirect
Comment Utility
Would you recommend simply changing SELinux to a passive mode?
0
 
LVL 23

Expert Comment

by:savone
Comment Utility
I personally never disable SELINUX, which is basically what you will be doing with permissive mode.  Permissive mode allows the action, instead of stopping it but logs it.  Basically let's the security breach happen, but logs it.  

If you are going to admin a Linux system these days you will have to learn to use SELINUX.  Even Android has SELINUX by default now.  Did you try my above suggestion?
0
 

Author Comment

by:FirstDirect
Comment Utility
I am going to try that when I get back to my desk. I don't have any experience creating policy's.

Is the package audit2allow a key part of making policy's?
0
 
LVL 23

Expert Comment

by:savone
Comment Utility
It is a key part of easily making policies, yes.
0
 

Accepted Solution

by:
FirstDirect earned 0 total points
Comment Utility
I was able to get the FTP connections to work finally after a combination of trying the above solution and the following command on SSH.

setsebool -P allow_ftpd_full_access=1

Open in new window

0
 

Author Closing Comment

by:FirstDirect
Comment Utility
We are now able to get ProFTPd to work.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now