Bug 188933
| Summary: | selinux disallows anonymous incoming files with vsftpd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andy Loening <loening> |
| Component: | vsftpd | Assignee: | Radek Vokál <rvokal> |
| Status: | CLOSED NOTABUG | QA Contact: | Mike McLean <mikem> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | CC: | dwalsh |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-05-29 11:48:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andy Loening
2006-04-13 18:55:00 UTC
man ftpd_selinux shows
...
SELinux requires files to have an extended attribute to define the file
type. Policy governs the access daemons have to these files. If you
want to share files anonymously, you must label the files and directo-
ries public_content_t. So if you created a special directory /var/ftp,
you would need to label the directory with the chcon tool.
chcon -R -t public_content_t /var/ftp
If you want to setup a directory where you can upload files to you must
label the files and directories ftpd_anon_rw_t. So if you created a
special directory /var/ftp/incoming, you would need to label the direc-
tory with the chcon tool.
chcon -t public_content_rw_t /var/ftp/incoming
You must also turn on the boolean allow_ftpd_anon_write.
setsebool -P allow_ftpd_anon_write=1
okay, so in summary, disable selinux. Forgive me a rant, but I think it is a problem that there's no straight foward path to discovering what's going wrong for a common Fedora user. For instance, it's understandable that you read through the man page of vsftpd and vsftpd.conf, as well as the vsftpd.conf file itself to figure out how to enable anonymous ftp and anonymous ftp uploading. You do that, start up vsftpd, and you're good to go, right? Nope, doesn't work. No error messages in any log files. No error messages in dmesg. The ftp daemon just says you're not allowed to write in the directory. How is somebody suppose to intelligently debug that? If I didn't know that disabling selinux was the first thing to check for basically everything that goes wrong with Fedora these days, I could of spent hours screwing around with my computer getting anonymous ftp to work. The vsftpd man pages and vsftpd.conf make absolutely no mention that there's some selinux magic that needs to be enabled. Oh, there's a man page for ftpd_selinux. That's great, but who would know that it even exists and its where they need to look to find the solution? There should be avc messages in /var/log/messages or /var/log/audit/audit.log if you are running auditd. We are working on an infrastructure to translate these messages to something that is humanly understandable. The information missing from the man page should be bugzilla'd. Dan And another related problem. The boolean allow_ftpd_anon_write is under the Other tab in the Security Level Configuration application, rather than under the FTP tab. Closing this as not a bug. This can be pretty easily turned on in system-config-securitylevel. |