From: Vincent Lee <leehongfay@yahoo.com>
Date: Nov 20, 2006 10:40 AM
Subject: Security Enhanced Linux for FTP
To: Wavelet Google <wavelet@googlegroups.com>
Guys,
when you are using fedora 5, or latest versions of linux, you may encounter
some difficulty using the server for FTP, read the manual below, that will save
you tonnes of time.
Cheers
Vincent
http://www.die.net/doc/linux/man/man8/ftpd_selinux.8.html
ftpd_selinux(8) - Linux man page
NAME
ftpd_selinux - Security Enhanced Linux Policy for the ftp daemon
DESCRIPTION
Security-Enhanced Linux secures the ftpd server via flexible mandatory access
control.
FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files. If you want to share
files anonymously, you must label the files and directories public_content_t.
So if you created a special directory /var/ftp, you would need to label the
directory with the chcon tool.
chcon -R -t public_content_t /var/ftp
If you want to setup a directory where you can upload files to you must label
the files and directories ftpd_anon_rw_t. So if you created a special directory
/var/ftp/incoming, you would need to label the directory with the chcon tool.
chcon -t public_content_rw_t /var/ftp/incoming
You must also turn on the boolean allow_ftpd_anon_write.
setsebool -P allow_ftpd_anon_write=1
If you want to make this permanant, i.e. survive a relabel, you must add an
entry to the file_contexts.local file.
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
/var/ftp(/.*)? system_u:object_r:public_content_t /var/ftp/incoming(/.*)?
system_u:object_r:public_content_rw_t
BOOLEANS
SELinux ftp daemon policy is customizable based on least access required. So by
default SElinux does not allow users to login and read their home directories.
If you are setting up this machine as a ftpd server and wish to allow users to
access their home directorories, you need to set the ftp_home_dir boolean.
setsebool -P ftp_home_dir 1
ftpd can run either as a standalone daemon or as part of the xinetd domain. If
you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
setsebool -P ftpd_is_daemon 1
You can disable SELinux protection for the ftpd daemon by executing:
setsebool -P ftpd_disable_trans 1
service vsftpd restart
system-config-securitylevel is a GUI tool available to customize SELinux policy
settings.
AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
SEE ALSO
Confucius once said that individuals gain wisdom in three ways:
"First, by reflection, which is noblest; second, by imitation, which
is easiest; and third by experience, which is the bitterest."
--------------------
WAVELET SOLUTIONS SDN BHD 632468W (www.wavelet.biz)
GC-43, Ground Floor, Block C,
Kelana Square, 17 Jalan SS7/26,
Kelana Jaya, 47301 Selangor, Malaysia.
H/P: +6012-6018838
Tel: +603-78042207
Fax: +603-78042281
--------------------
CONFIDENTIAL NOTE:
The information contained in this email is intended only for the use
of the individual or entity named above and may contain information
that is privileged, confidential and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
message in error, please immediately notify the sender and delete the
mail. Thank you.
--
--------------
WAVELET SOLUTIONS SDN BHD 632468W (www.wavelet.biz)
GC-43, Ground Floor, Block C,
Kelana Square, 17 Jalan SS7/26,
Kelana Jaya, 47301 Selangor, Malaysia.
H/P: +6012-6018838
Tel: +603-78042207
Fax: +603-78042281
-------------
CONFIDENTIAL NOTE:
The information contained in this email is intended only for the use
of the individual or entity named above and may contain information
that is privileged, confidential and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
message in error, please immediately notify the sender and delete the
mail. Thank you.
No comments:
Post a Comment