Centos 7 ProFTPD SELinux settings : How do we make the correct change to SELINUX to allow FTP users to work correctly?

We are trying to setup Proftpd on a Centos 7 system.  We have ProFTPD configured to use MySQL.

We try to login with a user in the Database, and that works except that they can not list the directory.

We verified our configuration for ProFTPd, and after much checking decided to try and see if SELINUX had anything to do with our user not being able to list the directory.

[root@fd01 ~]# setenforce 0

Open in new window


[root@fd01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Open in new window


After this, we are able to list the FTP directory and upload files.

So the question is. How do we make the correct change to SELINUX to allow FTP users to work correctly?
FirstDirectAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
FirstDirectConnect With a Mentor Author Commented:
I was able to get the FTP connections to work finally after a combination of trying the above solution and the following command on SSH.

setsebool -P allow_ftpd_full_access=1

Open in new window

0
 
Dan CraciunIT ConsultantCommented:
Have you tried labeling the ftp directory as type public_content_t?
sudo /usr/sbin/semanage fcontext -a -t public_content_t "/srv/myftproot/public(/.*)?"
sudo /sbin/restorecon -R -v /srv/myftproot/public

Open in new window

See the help page here: http://selinuxproject.org/page/FTPRecipes

HTH,
Dan
0
 
FirstDirectAuthor Commented:
Additional notes to the original.

When in "Permissive" mode we have write access. When in "enforcing" mode we do not.

Dan how would I do that?
my directory for where a user ftp folder will be is "/var/ftpd/xxxfolderxxx"
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
FirstDirectAuthor Commented:
Would we want to run something like the following?

sudo /usr/sbin/semanage boolean -m --on ftpd_connect_db

Open in new window


Since we have configured ProFTPD to use a MySql DB? And where do I run this? On the SSH command line?
0
 
FirstDirectAuthor Commented:
I have seen instructions such as this.
http://serverfault.com/questions/494976/proftpd-and-selinux-mkdir-permission-denied


Would this change much if we are storing users in a mysql db?
0
 
savoneConnect With a Mentor Commented:
I would suggest looking at the audit log (/var/log/audit/audit.log) to see selinux messages.

I am not familiar with ProFTP, but I assume that is the daemon name under which it runs.  So you can grep like so:

grep -i proftp /var/log/audit/audit.log

If you see messages in there, then you can create a custom policy for selinux to allow proftp write access, like so:

grep -i proftp /var/log/audit/audit.log | audit2allow -M myproftppol

You will then have to run:

 semodule -i myproftppol.pp

Again, I would read the logs to make sure you know what you are allowing.  Also if audit2allow is not installed, you may have to install it.  It is part of the policycoreutils-python package, so:

yum install policycoreutils-python

Good luck, Selinux is great, but it can be a pain.
0
 
FirstDirectAuthor Commented:
Would you recommend simply changing SELinux to a passive mode?
0
 
savoneCommented:
I personally never disable SELINUX, which is basically what you will be doing with permissive mode.  Permissive mode allows the action, instead of stopping it but logs it.  Basically let's the security breach happen, but logs it.  

If you are going to admin a Linux system these days you will have to learn to use SELINUX.  Even Android has SELINUX by default now.  Did you try my above suggestion?
0
 
FirstDirectAuthor Commented:
I am going to try that when I get back to my desk. I don't have any experience creating policy's.

Is the package audit2allow a key part of making policy's?
0
 
savoneCommented:
It is a key part of easily making policies, yes.
0
 
FirstDirectAuthor Commented:
We are now able to get ProFTPd to work.
0
All Courses

From novice to tech pro — start learning today.