vsftpd with selinux on FC3

Daniel J Walsh dwalsh at redhat.com
Wed May 18 12:28:41 UTC 2005 

James Z. Li wrote:

>Hi there, 
>
>I am configuring Selinux to protect vsftpd on my FC3 box. I follow the
>procedure of
>Chapter 8 Cutermizing and Writing Policy in Red Hat Enterprise Linux
>SELinux Guide.
>
>Step1: i created a file called 
>/etc/selinux/targeted/src/policy/domains/program/vsftpd.te
>the cotents are
>#################################
>#
># Rules for the vsftpd_t domain.
>#
>daemon_domain(vsftpd)  
>
>the security context of this file was  root:object_r:policy_src_t
>  
>
It should stay this.

>I changed it by using
>chcon -u system_u vsftpd.te
>
>Step2: create /etc/selinux/targeted/src/policy/file_contexts/program/vsftpd.fc
>contents are
>/usr/sbin/vsftpd        --      system_u:object_r:vsftpd_exec_t
>/var/run/vsftpd.pid     --      system_u:object_r:vsftpd_var_run_t
>/etc/vsftpd/vsftpd.conf --      system_u:object_r:vsftpd_conf_t
>
>chcon -u system_u vsftpd.fc
>
>  
>
User context will not matter.

>At this moment, the security context of /etc/vsftpd and vsftpd.conf are:
># ls -dZ /etc/vsftpd
>drwxr-xr-x  root     root     system_u:object_r:etc_t          /etc/vsftpd
>
>ls -Z /etc/vsftpd/vsftpd.conf
>-rw-------  root     root     system_u:object_r:etc_t         
>/etc/vsftpd/vsftpd.conf
>
>Step3: #make load
>Error message:
>...
>Validating file_contexts ...
>/usr/sbin/setfiles -q -c /etc/selinux/targeted/policy/policy.18
>/etc/selinux/tar geted/contexts/files/file_contexts
>/usr/sbin/setfiles:  invalid context system_u:object_r:vsftpd_conf_t
>on line num ber 785
>make: *** [install] Error 1
>
>  
>
First do you want to protect vsftpd_conf_t from other domains reading 
it?  If you don't
set this context it will default to etc_t and almost no other domains 
will be able to write it.
If you want to add a file context you would need to create it in the te 
file.

type vsftpd_conf_t, file_type, sysadmfile;

I would not advise this, and would just leave it etc_t.

>Could anyone help me on this? Thanks a lot!
>
>Btw, should I set the security context of /etc/vsftpd/vsftpd.conf to
>vsftpd_conf_t
>or vsftpd_etc_t? I am confused about some existing context, such as
>
>#ls -dZ /etc/httpd/
>drwxr-xr-x  root     root     system_u:object_r:httpd_config_t /etc/httpd/
>#ls -Z /etc/httpd/conf/httpd.conf
>-rw-r--r--  root     root     system_u:object_r:httpd_config_t
>/etc/httpd/conf/httpd.conf
>
>BUT, 
># ls -dZ /etc/snmp/
>drwxr-xr-x  root     root     system_u:object_r:etc_t          /etc/snmp/
># ls -Z /etc/snmp/snmpd.conf
>-rw-r--r--  root     root     system_u:object_r:snmpd_etc_t   
>/etc/snmp/snmpd.conf
>
>  
>
Usually I would only setup an conf file or etc file if a certain domain 
needs the ability to write to it.

BTW if you look at strict policy, there is a ftpd context that works on 
vsftpd.  I would recommend you
look at the one in rawhide.

>Thanks,
>
>James
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


--

More information about the fedora-selinux-list mailing list