vsftpd non-anonymous chrooting

Ted Rule ejtr at layer3.co.uk
Mon Aug 8 17:42:37 UTC 2005

Whilst using vsftpd in chroot'ed mode for non-anonymous usage, I've
found that I appear to have to add this to my SELinux strict policy:

allow ftpd_t self:capability { dac_override dac_read_search };

or possibly just this:

allow ftpd_t self:capability { dac_read_search };

Without at least the dac_read_search, an ftp login always seems to fail.

The description of these "dac" permissions on Tresys' site suggests to
me that vsftpd is being too "greedy" in requiring these permissions to
chroot successfully. Since anonymous ftp with SELinux surely works Ok
without this capability, (or too many other people would have
complained ), does this mean that the correct fix for this is a minor
rewrite to vsftpd, rather than a change in SELinux policy?

My current ftpd/SELinux/chroot related configuration:

$ sudo grep ftp /etc/selinux/strict/booleans

$ sudo grep chroot /etc/vsftpd/vsftpd.conf | grep -v "^#"

Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/

More information about the fedora-selinux-list mailing list