Red Hat Bugzilla – Bug 188933
selinux disallows anonymous incoming files with vsftpd
Last modified: 2007-11-30 17:11:30 EST
SELinux seems to disallow anonymous login to upload files, although I'm not
seeing any selinux messages popping up in /var/log/messages or dmesg.
This is with:
As a work around to enable anonymous uploading, one can set "disable SELinux
protection for ftpd daemon" in the security level configuration. I suppose
another work around would be to disable SELinux all together, which has the
benefical side effect of fixing a variety of other problems with acroread,
vmware, and nvidia drivers.
man ftpd_selinux shows
SELinux requires files to have an extended attribute to define the file
type. Policy governs the access daemons have to these files. If you
want to share files anonymously, you must label the files and directo-
ries public_content_t. So if you created a special directory /var/ftp,
you would need to label the directory with the chcon tool.
chcon -R -t public_content_t /var/ftp
If you want to setup a directory where you can upload files to you must
label the files and directories ftpd_anon_rw_t. So if you created a
special directory /var/ftp/incoming, you would need to label the direc-
tory with the chcon tool.
chcon -t public_content_rw_t /var/ftp/incoming
You must also turn on the boolean allow_ftpd_anon_write.
setsebool -P allow_ftpd_anon_write=1
okay, so in summary, disable selinux.
Forgive me a rant, but I think it is a problem that there's no straight foward
path to discovering what's going wrong for a common Fedora user. For instance,
it's understandable that you read through the man page of vsftpd and
vsftpd.conf, as well as the vsftpd.conf file itself to figure out how to enable
anonymous ftp and anonymous ftp uploading.
You do that, start up vsftpd, and you're good to go, right? Nope, doesn't work.
No error messages in any log files. No error messages in dmesg. The ftp daemon
just says you're not allowed to write in the directory. How is somebody suppose
to intelligently debug that?
If I didn't know that disabling selinux was the first thing to check for
basically everything that goes wrong with Fedora these days, I could of spent
hours screwing around with my computer getting anonymous ftp to work. The
vsftpd man pages and vsftpd.conf make absolutely no mention that there's some
selinux magic that needs to be enabled. Oh, there's a man page for
ftpd_selinux. That's great, but who would know that it even exists and its
where they need to look to find the solution?
There should be avc messages in /var/log/messages or /var/log/audit/audit.log if
you are running auditd.
We are working on an infrastructure to translate these messages to something
that is humanly understandable.
The information missing from the man page should be bugzilla'd.
And another related problem. The boolean allow_ftpd_anon_write is under the
Other tab in the Security Level Configuration application, rather than under the
Closing this as not a bug. This can be pretty easily turned on in