Setting SELinux for vsftpd
Rick Stevens
ricks at nerd.com
Tue Jan 6 19:02:26 UTC 2009
Mark Haney wrote:
> I've got a server that we use to do speed testing of our upstreams (and
> customers links) using FTP. This is a fresh F10 install and I'm getting
> what seems to be a very common selinux ftp error (226 Failed to open
> directory). I've googled up a couple of forum posts on how to fix it,
> but most say just to disable selinux. That I'd not like to do.
> However, one of the options says to do this:
>
> setsebool -P ftpd_disable_trans 1
>
> But I get an error:
>
> [root at noc5 speedtest]# setsebool -P ftpd_disable_trans 1
> libsemanage.dbase_llist_set: record not found in the database
> libsemanage.dbase_llist_set: could not set record value
> Could not change boolean ftpd_disable_trans
> Could not change policy booleans
>
> I have seen the GUI method of doing this, but since I don't run X on
> this server that's not much help. What's the correct method of setting
> selinux up for this?
I don't believe that's a legit SELinux boolean for F10. A default
SELinux config on F10 shows:
[root at prophead ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
as the only legit booleans having to do with ftp. A check of the
SELinux logs would be far more useful, but my guess is that SELinux is
blocking access to home directories. In that case, try
[root at prophead ~]# setsebool -P ftp_home_dir 1
wait a minute or so after issuing that command before you try an FTP
login and transfer again...some stuff needs relabeling after that
command and it takes a bit of time to do that.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- If one is what one eats, then I am fast, cheap and greasy! -
----------------------------------------------------------------------
More information about the fedora-list
mailing list