How to allow vsftpd to listen on other ports?

Stephen Smalley sds at tycho.nsa.gov
Wed Mar 8 18:14:25 UTC 2006


On Wed, 2006-03-08 at 19:03 +0100, Dawid Gajownik wrote:
> Hi!
> 
> I wanted vsftpd to listen on 750 or 777 port. SELinux does not like this
> 
> type=AVC msg=audit(1141840161.184:107): avc:  denied  { name_bind } for 
>   pid=5352 comm="vsftpd" src=777 scontext=root:system_r:ftpd_t 
> tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
> type=AVC msg=audit(1141840470.444:114): avc:  denied  { name_bind } for 
>   pid=5495 comm="vsftpd" src=750 scontext=root:system_r:ftpd_t 
> tcontext=system_u:object_r:kerberos_port_t tclass=tcp_socket
> 
> I've downloaded selinux-policy-targeted-sources rpm and wanted to add 
> this line:
> 
> portcon tcp 750 system_u:object_r:ftp_port_t
> 
> The problem is that I don't know where should it be placed. It does not 
> work in domains/misc/local.te -- `make load' fails ;-)
> 
> OS: FC4
> selinux-policy-targeted-sources: 1.27.1-2.22

Needs to go in net_contexts, and put before the catchall cases for
reserved_port_t.

In FC5, you'll have much nicer options for such customization via
semanage without needing policy sources at all.

-- 
Stephen Smalley
National Security Agency




More information about the selinux mailing list