Bug 188933 - selinux disallows anonymous incoming files with vsftpd
selinux disallows anonymous incoming files with vsftpd
Product: Fedora
Classification: Fedora
Component: vsftpd (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Mike McLean
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2006-04-13 14:55 EDT by Andy Loening
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-29 07:48:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andy Loening 2006-04-13 14:55:00 EDT
SELinux seems to disallow anonymous login to upload files, although I'm not
seeing any selinux messages popping up in /var/log/messages or dmesg.

This is with:

As a work around to enable anonymous uploading, one can set "disable SELinux
protection for ftpd daemon" in the security level configuration.  I suppose
another work around would be to disable SELinux all together, which has the
benefical side effect of fixing a variety of other problems with acroread,
vmware, and nvidia drivers.
Comment 1 Daniel Walsh 2006-04-14 09:36:58 EDT
man ftpd_selinux shows

       SELinux requires files to have an extended attribute to define the file
       type.   Policy  governs the access daemons have to these files.  If you
       want to share files anonymously, you must label the files and  directo-
       ries public_content_t.  So if you created a special directory /var/ftp,
       you would need to label the directory with the chcon tool.

       chcon -R -t public_content_t /var/ftp

       If you want to setup a directory where you can upload files to you must
       label  the  files  and directories ftpd_anon_rw_t.  So if you created a
       special directory /var/ftp/incoming, you would need to label the direc-
       tory with the chcon tool.

       chcon -t public_content_rw_t /var/ftp/incoming

       You must also turn on the boolean allow_ftpd_anon_write.

       setsebool -P allow_ftpd_anon_write=1
Comment 2 Andy Loening 2006-04-14 12:48:46 EDT
okay, so in summary, disable selinux.
Comment 3 Andy Loening 2006-04-14 14:48:03 EDT
Forgive me a rant, but I think it is a problem that there's no straight foward 
path to discovering what's going wrong for a common Fedora user. For instance,
it's understandable that you read through the man page of vsftpd and
vsftpd.conf, as well as the vsftpd.conf file itself to figure out how to enable
anonymous ftp and anonymous ftp uploading.

You do that, start up vsftpd, and you're good to go, right?  Nope, doesn't work.
 No error messages in any log files.  No error messages in dmesg. The ftp daemon
just says you're not allowed to write in the directory.  How is somebody suppose
to intelligently debug that?

If I didn't know that disabling selinux was the first thing to check for
basically everything that goes wrong with Fedora these days, I could of spent
hours screwing around with my computer getting anonymous ftp to work.  The
vsftpd man pages and vsftpd.conf make absolutely no mention that there's some
selinux magic that needs to be enabled.  Oh, there's a man page for
ftpd_selinux.  That's great, but who would know that it even exists and its
where they need to look to find the solution?
Comment 4 Daniel Walsh 2006-04-14 14:54:30 EDT
There should be avc messages in /var/log/messages or /var/log/audit/audit.log if
you are running auditd.

We are working on an infrastructure to translate these messages to something
that is humanly understandable.  

The information missing from the man page should be bugzilla'd.

Comment 5 Andy Loening 2006-04-17 15:29:46 EDT
And another related problem.  The boolean allow_ftpd_anon_write is under the
Other tab in the Security Level Configuration application, rather than under the
FTP tab.
Comment 6 Radek Vokal 2006-05-29 07:48:50 EDT
Closing this as not a bug. This can be pretty easily turned on in

Note You need to log in before you can comment on or make changes to this bug.