NAME¶
ftpd_selinux - Security-Enhanced Linux policy for ftp daemons.
DESCRIPTION¶
Security-Enhanced Linux provides security for ftp daemons via flexible mandatory
access control.
FILE_CONTEXTS¶
SELinux requires files to have a file type. File types may be specified with
semanage and are restored with restorecon. Policy governs the access that
daemons have to files.
- Allow ftp servers to read the /var/ftp directory by adding
the public_content_t file type to the directory and by restoring the file
type.
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
- restorecon -F -R -v /var/ftp
- Allow ftp servers to read and write /var/tmp/incoming by
adding the public_content_rw_t type to the directory and by restoring the
file type. This also requires the allow_ftpd_anon_write boolean to be
set.
semanage fcontext -a -t public_content_rw_t
"/var/ftp/incoming(/.*)?"
- restorecon -F -R -v /var/ftp/incoming
-
BOOLEANS¶
SELinux policy is based on least privilege required and may also be customizable
by setting a boolean with setsebool.
- Allow ftp servers to read and write files with the
public_content_rw_t file type.
setsebool -P allow_ftpd_anon_write on
- Allow ftp servers to read or write files in the user home
directories.
setsebool -P ftp_home_dir on
- Allow ftp servers to read or write all files on the
system.
setsebool -P allow_ftpd_full_access on
- Allow ftp servers to use cifs for public file transfer
services.
setsebool -P allow_ftpd_use_cifs on
- Allow ftp servers to use nfs for public file transfer
services.
setsebool -P allow_ftpd_use_nfs on
- system-config-selinux is a GUI tool available to customize
SELinux policy settings.
AUTHOR ¶
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
SEE ALSO¶
selinux(8),
ftpd(8),
setsebool(8),
semanage(8),
restorecon(8)