vsftpd with selinux on FC3
Ivan Gyurdiev
ivg2 at cornell.edu
Sun May 15 04:05:18 UTC 2005
> Step1: i created a file called
> /etc/selinux/targeted/src/policy/domains/program/vsftpd.te
> the cotents are
> #################################
> #
> # Rules for the vsftpd_t domain.
> #
> daemon_domain(vsftpd)
What's wrong with the ftpd.te policy, currently available in the FC4
packages?
> the security context of this file was root:object_r:policy_src_t
> I changed it by using
> chcon -u system_u vsftpd.te
>
> Step2: create /etc/selinux/targeted/src/policy/file_contexts/program/vsftpd.fc
> contents are
> /usr/sbin/vsftpd -- system_u:object_r:vsftpd_exec_t
> /var/run/vsftpd.pid -- system_u:object_r:vsftpd_var_run_t
> /etc/vsftpd/vsftpd.conf -- system_u:object_r:vsftpd_conf_t
>
> chcon -u system_u vsftpd.fc
I don't think this matters...
> At this moment, the security context of /etc/vsftpd and vsftpd.conf are:
> # ls -dZ /etc/vsftpd
> drwxr-xr-x root root system_u:object_r:etc_t /etc/vsftpd
>
> ls -Z /etc/vsftpd/vsftpd.conf
> -rw------- root root system_u:object_r:etc_t
> /etc/vsftpd/vsftpd.conf
>
> Step3: #make load
> Error message:
> ...
> Validating file_contexts ...
> /usr/sbin/setfiles -q -c /etc/selinux/targeted/policy/policy.18
> /etc/selinux/tar geted/contexts/files/file_contexts
> /usr/sbin/setfiles: invalid context system_u:object_r:vsftpd_conf_t
> on line num ber 785
> make: *** [install] Error 1
>
> Could anyone help me on this? Thanks a lot!
You need to define the type vsftpd_conf_t in the vsftpd.te file,
before you can use it in your file_contexts file. Look at how the FC4
ftp policy is done, or better just use that instead...
> Btw, should I set the security context of /etc/vsftpd/vsftpd.conf to
> vsftpd_conf_t
> or vsftpd_etc_t? I am confused about some existing context, such as
You're creating the type, so the decision is up to you -
both appear in different places in the policy. The etc_t one can
be created simply by calling the etc_domain macro.
--
Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University
More information about the fedora-selinux-list
mailing list