SELinux seems to disallow anonymous login to upload files, although I'm not seeing any selinux messages popping up in /var/log/messages or dmesg. This is with: vsftpd-2.0.4-1.2 selinux-policy-2.2.29-3.fc5 As a work around to enable anonymous uploading, one can set "disable SELinux protection for ftpd daemon" in the security level configuration. I suppose another work around would be to disable SELinux all together, which has the benefical side effect of fixing a variety of other problems with acroread, vmware, and nvidia drivers.
man ftpd_selinux shows ... SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you want to share files anonymously, you must label the files and directo- ries public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool. chcon -R -t public_content_t /var/ftp If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the direc- tory with the chcon tool. chcon -t public_content_rw_t /var/ftp/incoming You must also turn on the boolean allow_ftpd_anon_write. setsebool -P allow_ftpd_anon_write=1
okay, so in summary, disable selinux.
Forgive me a rant, but I think it is a problem that there's no straight foward path to discovering what's going wrong for a common Fedora user. For instance, it's understandable that you read through the man page of vsftpd and vsftpd.conf, as well as the vsftpd.conf file itself to figure out how to enable anonymous ftp and anonymous ftp uploading. You do that, start up vsftpd, and you're good to go, right? Nope, doesn't work. No error messages in any log files. No error messages in dmesg. The ftp daemon just says you're not allowed to write in the directory. How is somebody suppose to intelligently debug that? If I didn't know that disabling selinux was the first thing to check for basically everything that goes wrong with Fedora these days, I could of spent hours screwing around with my computer getting anonymous ftp to work. The vsftpd man pages and vsftpd.conf make absolutely no mention that there's some selinux magic that needs to be enabled. Oh, there's a man page for ftpd_selinux. That's great, but who would know that it even exists and its where they need to look to find the solution?
There should be avc messages in /var/log/messages or /var/log/audit/audit.log if you are running auditd. We are working on an infrastructure to translate these messages to something that is humanly understandable. The information missing from the man page should be bugzilla'd. Dan
And another related problem. The boolean allow_ftpd_anon_write is under the Other tab in the Security Level Configuration application, rather than under the FTP tab.
Closing this as not a bug. This can be pretty easily turned on in system-config-securitylevel.