How to allow vsftpd to listen on other ports?
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 8 19:59:18 UTC 2006
On Wed, 2006-03-08 at 20:41 +0100, Dawid Gajownik wrote:
> Dnia 03/08/2006 07:11 PM, Użytkownik Stephen Smalley napisał:
>
> > Needs to go in net_contexts, and put before the catchall cases for
> > reserved_port_t.
>
> Thanks, it works but I wanted to avoid modifying this file. Does that
> mean that I will need to edit it after every
> selinux-policy-targetes-sources update? (I can use ftp port > 1023 so
> this entry wouldn't need to be placed before reserved_port_t)
I think so. One of the motivations for semanage in FC5.
refpolicy also makes an improvement in this area even in the source
policy situation IIUC, by allowing you to scatter portcon and similar
statements throughout the policy source files and have the build process
extract them for final processing.
> Yes, it's more user friendly :D I've just tested it on my rawhide box.
> semanage man page sucks a bit (no examples), so it took me few minutes
> to construct this command:
>
> semanage port -a -t ftp_port_t -p tcp 7777
>
> Actually, it was unnecessary on FC5 ;-) It seems that SELinux policy
> does not block vsftpd from binding to other ports (or my system is
> broken?). I'm using selinux-policy-targeted-2.2.23-6 it if makes any
> differance.
Policy (both FC4 and FC5) appear to allow ftpd to bind to generic ports
(port_t) outside of the reserved range plus the ftp data port and the
ftp service port. Did you mean 777 or 7777? One would be mapped to
reserved_port_t, the other to port_t.
> I had to modify http_port_t to allow Apache to work on 81 port, though...
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list