Red Hat Bugzilla – Bug 252585
SELinux is not allowing vsftp to start when privelleged ports (other than 21 and port < 1024) is assigned to it
Last modified: 2007-11-30 17:07:46 EST
I'm using third party GUI to manage the different services on Rhel5(64 bit)system.
I have enabled SELinux policy(target 21) in enforcing mode and the file system
is properly labelled.When I try to start vsftpd after assigning the priveleged
port (other than 21,20 and within 1024 ports) I'm unable to start the vsftp.
However when i disable the SELinux policy I'm able to start it.
I just want to know if SELinux policy doesn't allow my GUI to assign lower
priveleged ports(< 1024) to Vsftp and if the answer is yes could you give me the
reasons or any link on the internet which gives me the sufficient answers.
Please note that there is no issues when port 21 or ports > 1024 is assigned to
Attaching the SeLinux troubleshhot logs which I get when i try to start vsftpd.
Created attachment 161499 [details]
SELinux trouble shoot log
can i expect a quick response.
Still waiting for your response.How many more days will u need to reply??
As in SELinux trouble shoot log:
*Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /etc/httpd/conf, restorecon -v
Your file context: system_u:object_r:dhcpd_state_t
It should be: system_u:object_r:httpd_config_t
This problem is not in vsftpd, but in labeling problems with httpd. This could
be caused by your third party GUI.
But this problem shouldn't stop vsftpd to start. If you will find another
problem or error caused by vsftpd, please let me know by reopening this bug.
I investigated further on this issue.This time I didn't installed the third
party GUI for managing the services.On a Plain Rhel5 Enterprise Linux system
with SELinux enabled in Enforcing mode I assigned port 200 to vsftpd
(/etc/vsftpd/vsftpd.conf ,listen_port=200)and tried to start vsftpd using
/etc/init.d/vsftpd start but it failed to start. When i changed the port to
unpriveleged port 1029 and then tried starting it using /etc/init.d/vsftpd start
it started .
I didn't got any setroubleshoot log though . But I'm sure this is caused by
I request you to follow the method which I have given above to reproduce this
bug and reply me.
Any updates about this bug.Still waiting for the response.Please go through my
comment no 5.
Hi, add additional port 200 to selinux policy by:
semanage port -a -p tcp -t ftp_port_t 200
SeLinux deny changing ports for some services (to <1024) by default. This is not
a vsftpd bug.
Yes this is the correct thing to do. You can customize selinux policy using
BTW If you run setroubleshoot it should give you some of this information.
I dont get any setroubleshoot alert for this :(
I have reverified this on multiple system.It would have been nice to get
Setroubleshoot alert for this case.