Hi, I have two problems which I think they are similar.
1) I have a directory /var/www/don/html which is owned by don. I want to ftp some web pages, but I cannot cd to /var/www/don/html when SELinux is enabled. When I turn SELinux off it works. What do I need to set to allow this.
2) If I ftp the html files to my home dir the and copy them to /var/www/don/html they cannot we read by the browser while SELinux is enabled.
Thanks in advance, Don
On Mon, 2006-05-29 at 21:47 -0700, Don wrote:
Hi, I have two problems which I think they are similar.
- I have a directory /var/www/don/html which is owned by don. I
want to ftp some web pages, but I cannot cd to /var/www/don/html when SELinux is enabled. When I turn SELinux off it works. What do I need to set to allow this.
You'll need to allow this area to be writable by your ftp server as far as SELinux is concerned. It might be enough to do:
# chcon -R -t public_content_rw_t /var/www/don/html # setsebool -P allow_ftpd_anon_write 1
but I suspect you'll also need a local policy tweak to allow the ftp server to access /var/www/don in the first place. If the above commands don't work, look in /var/log/messages for lines containing "avc: denied" after the time you made these changes, and post what you find here.
- If I ftp the html files to my home dir the and copy them to
/var/www/don/html they cannot we read by the browser while SELinux is enabled.
You'll need to change the security context of the files after copying them if you do it this way.
$ chcon -R -t httpd_sys_content_t /var/www/don/html
Paul.
Paul Howarth wrote:
# setsebool -P allow_ftpd_anon_write 1
By the way, I think this boolean is rather misnamed: it allows write access by FTP in general, not only for anonymous users.
I thought authenticated users always had write access until I read the policy source, and found out I should turn this boolean on.
Renaming the boolean is probably not worth the compatibility breakage, but I hope we don't end up like the %_initrddir macro in rpm (which has nothing to do with initrd, but expands into /etc/rc.d/init.d)
Maybe change it now before it's too late (SELinux is too widely used) ?
Aurélien
Aurelien Bompard wrote:
Paul Howarth wrote:
# setsebool -P allow_ftpd_anon_write 1
By the way, I think this boolean is rather misnamed: it allows write access by FTP in general, not only for anonymous users.
I thought authenticated users always had write access until I read the policy source, and found out I should turn this boolean on.
Did the "ftpd_selinux" manpage not help?
Renaming the boolean is probably not worth the compatibility breakage, but I hope we don't end up like the %_initrddir macro in rpm (which has nothing to do with initrd, but expands into /etc/rc.d/init.d)
I always wondered where that macro name came from. Still do!
Maybe change it now before it's too late (SELinux is too widely used) ?
+1
Paul.
Paul Howarth wrote:
Did the "ftpd_selinux" manpage not help?
Well, this page does not say that turning on allow_ftpd_anon_write was neccessary for authenticated users too. It does tell about ftp_home_dir though.
I always wondered where that macro name came from. Still do!
It smells like a typo back in the days...
Aurélien
selinux@lists.fedoraproject.org