How to allow vsftpd to listen on other ports?
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 8 18:14:25 UTC 2006
On Wed, 2006-03-08 at 19:03 +0100, Dawid Gajownik wrote:
> Hi!
>
> I wanted vsftpd to listen on 750 or 777 port. SELinux does not like this
>
> type=AVC msg=audit(1141840161.184:107): avc: denied { name_bind } for
> pid=5352 comm="vsftpd" src=777 scontext=root:system_r:ftpd_t
> tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
> type=AVC msg=audit(1141840470.444:114): avc: denied { name_bind } for
> pid=5495 comm="vsftpd" src=750 scontext=root:system_r:ftpd_t
> tcontext=system_u:object_r:kerberos_port_t tclass=tcp_socket
>
> I've downloaded selinux-policy-targeted-sources rpm and wanted to add
> this line:
>
> portcon tcp 750 system_u:object_r:ftp_port_t
>
> The problem is that I don't know where should it be placed. It does not
> work in domains/misc/local.te -- `make load' fails ;-)
>
> OS: FC4
> selinux-policy-targeted-sources: 1.27.1-2.22
Needs to go in net_contexts, and put before the catchall cases for
reserved_port_t.
In FC5, you'll have much nicer options for such customization via
semanage without needing policy sources at all.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list