vsftpd with selinux on FC3
Daniel J Walsh
dwalsh at redhat.com
Thu May 19 14:37:25 UTC 2005
James Z. Li wrote:
>Thanks a lot for your help.
>
>I installed FC4T3 to learn from its ftpd policy. However its policy seems
>not working well. After 'service vsftpd start', I cannot make ftp connection
>to it. Error messages are:
>...
>331 Please specify the password.
>Password:
>Error sending status request (Operation not permitted)
>Login failed.
>ftp> ls
>230 Login successful.
>Passive mode address scan failure. Shouldn't happen!
>ftp> bye
>215 UNIX Type: L8
>
>I go through the targeted policy for ftpd and write my own policy for vsftpd
>on FC3.
>
> vsftpd.te
>#################################
>#
># Rules for the vsftpd_t domain.
>#
>daemon_domain(vsftpd, `, auth_chkpwd')
>etc_domain(vsftpd)
>can_network(vsftpd_t)
>
>vsftpd.fc
>#################################
>/usr/sbin/vsftpd -- system_u:object_r:vsftpd_exec_t
>/var/run/vsftpd.pid -- system_u:object_r:vsftpd_var_run_t
>/etc/vsftpd/vsftpd.conf -- system_u:object_r:vsftpd_etc_t
>
>I know they are lots of scenarios missing here, like actions related to nfs and
>samba. I plan to keep adding more rules into these two files based on parsing
>avc error messages. Currently, the above policy works well on my home pc
>for both anonymous and non-anonymous ftp services without generating even
>one AVC error message. Interesting ?!
>
>James
>
>
Yes we have made some modifications to ftpd.te this past week to fix
this problem.
Could you grab the latest policy off of
ftp://people.redhat.com/dwalsh/SELinux/Fedora
Which should make it into FC4/Final.
--
More information about the fedora-selinux-list
mailing list