vsftpd with selinux on FC3

Ivan Gyurdiev ivg2 at cornell.edu
Sun May 15 04:05:18 UTC 2005 

> Step1: i created a file called 
> /etc/selinux/targeted/src/policy/domains/program/vsftpd.te
> the cotents are
> #################################
> #
> # Rules for the vsftpd_t domain.
> #
> daemon_domain(vsftpd)  

What's wrong with the ftpd.te policy, currently available in the FC4
packages?

> the security context of this file was  root:object_r:policy_src_t
> I changed it by using
> chcon -u system_u vsftpd.te
> 
> Step2: create /etc/selinux/targeted/src/policy/file_contexts/program/vsftpd.fc
> contents are
> /usr/sbin/vsftpd        --      system_u:object_r:vsftpd_exec_t
> /var/run/vsftpd.pid     --      system_u:object_r:vsftpd_var_run_t
> /etc/vsftpd/vsftpd.conf --      system_u:object_r:vsftpd_conf_t
> 
> chcon -u system_u vsftpd.fc

I don't think this matters... 

> At this moment, the security context of /etc/vsftpd and vsftpd.conf are:
> # ls -dZ /etc/vsftpd
> drwxr-xr-x  root     root     system_u:object_r:etc_t          /etc/vsftpd
> 
> ls -Z /etc/vsftpd/vsftpd.conf
> -rw-------  root     root     system_u:object_r:etc_t         
> /etc/vsftpd/vsftpd.conf
> 
> Step3: #make load
> Error message:
> ...
> Validating file_contexts ...
> /usr/sbin/setfiles -q -c /etc/selinux/targeted/policy/policy.18
> /etc/selinux/tar geted/contexts/files/file_contexts
> /usr/sbin/setfiles:  invalid context system_u:object_r:vsftpd_conf_t
> on line num ber 785
> make: *** [install] Error 1
> 
> Could anyone help me on this? Thanks a lot!

You need to define the type vsftpd_conf_t in the vsftpd.te file,
before you can use it in your file_contexts file. Look at how the FC4
ftp policy is done, or better just use that instead...

> Btw, should I set the security context of /etc/vsftpd/vsftpd.conf to
> vsftpd_conf_t
> or vsftpd_etc_t? I am confused about some existing context, such as

You're creating the type, so the decision is up to you - 
both appear in different places in the policy. The etc_t one can
be created simply by calling the etc_domain macro.

-- 
Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University

More information about the fedora-selinux-list mailing list