4.4. Configuration Examples
4.4.1. Uploading to an FTP site
The following example creates an FTP site that allows a dedicated user to upload files. It creates the directory structure and the required SELinux configuration changes:
- Run the
setsebool ftp_home_dir=1
command as the root user to enable access to FTP home directories. - Run the
mkdir -p /myftp/pub
command as the root user to create a new top-level directory. - Set Linux permissions on the
/myftp/pub/
directory to allow a Linux user write access. This example changes the owner and group from root to owneruser1
and group root. Replaceuser1
with the user you want to give write access to:~]#
chown user1:root /myftp/pub
~]#chmod 775 /myftp/pub
Thechown
command changes the owner and group permissions. Thechmod
command changes the mode, allowing theuser1
user read, write, and execute permissions, and members of the root group read, write, and execute permissions. Everyone else has read and execute permissions, which allows the Apache HTTP Server to read files from this directory. - When running SELinux, files and directories must be labeled correctly to allow access. Setting Linux permissions is not enough. Files labeled with the
public_content_t
type allow them to be read by FTP, Apache HTTP Server, Samba, and rsync. Files labeled with thepublic_content_rw_t
type can be written to by FTP. Other services, such as Samba, require Booleans to be set before they can write to files labeled with thepublic_content_rw_t
type. Label the top-level directory (/myftp/
) with thepublic_content_t
type, to prevent copied or newly-created files under/myftp/
from being written to or modified by services. Run the following command as the root user to add the label change to file-context configuration:~]#
semanage fcontext -a -t public_content_t /myftp
- Run the
restorecon -R -v /myftp/
command to apply the label change:~]#
restorecon -R -v /myftp/
restorecon reset /myftp context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0 - Confirm
/myftp
is labeled with thepublic_content_t
type, and/myftp/pub/
is labeled with thedefault_t
type:~]$
ls -dZ /myftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /myftp/ ~]$ls -dZ /myftp/pub/
drwxrwxr-x. user1 root unconfined_u:object_r:default_t:s0 /myftp/pub/ - FTP must be allowed to write to a directory before users can upload files via FTP. SELinux allows FTP to write to directories labeled with the
public_content_rw_t
type. This example uses/myftp/pub/
as the directory FTP can write to. Run the following command as the root user to add the label change to file-context configuration:~]#
semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"
- Run the
restorecon -R -v /myftp/pub
command as the root user to apply the label change:~]#
restorecon -R -v /myftp/pub
restorecon reset /myftp/pub context system_u:object_r:default_t:s0->system_u:object_r:public_content_rw_t:s0 - The
allow_ftpd_anon_write
Boolean must be on to allowvsftpd
to write to files that are labeled with thepublic_content_rw_t
type. Run the following command as the root user to enable this Boolean:~]#
setsebool -P allow_ftpd_anon_write on
Do not use the-P
option if you do not want changes to persist across reboots.
The following example demonstrates logging in via FTP and uploading a file. This example uses the
user1
user from the previous example, where user1
is the dedicated owner of the /myftp/pub/
directory:
- Run the
cd ~/
command to change into your home directory. Then, run themkdir myftp
command to create a directory to store files to upload via FTP. - Run the
cd ~/myftp
command to change into the~/myftp/
directory. In this directory, create anftpupload
file. Copy the following contents into this file:File upload via FTP from a home directory.
- Run the
getsebool allow_ftpd_anon_write
command to confirm theallow_ftpd_anon_write
Boolean is on:~]$
getsebool allow_ftpd_anon_write
allow_ftpd_anon_write --> onIf this Boolean is off, run thesetsebool -P allow_ftpd_anon_write on
command as the root user to enable it. Do not use the-P
option if you do not want the change to persist across reboots. - Run the
service vsftpd start
command as the root user to startvsftpd
:~]#
service vsftpd start
Starting vsftpd for vsftpd: [ OK ] - Run the
ftp localhost
command. When prompted for a user name, enter the user name of the user who has write access, then, enter the correct password for that user:~]$
ftp localhost
Connected to localhost (127.0.0.1). 220 (vsFTPd 2.1.0) Name (localhost:username): 331 Please specify the password. Password: Enter the correct password 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd myftp 250 Directory successfully changed. ftp> put ftpupload local: ftpupload remote: ftpupload 227 Entering Passive Mode (127,0,0,1,241,41). 150 Ok to send data. 226 File receive OK. ftp> 221 Goodbye.The upload succeeds as theallow_ftpd_anon_write
Boolean is enabled.