1

I have installed vsftpd in redhat. Everything was file untill I fould that when I log into ftp server using:

ftp localhost

or fileZilla I get following errors:

ERROR:
- 500 OOPS: cannot change directory:/foo

Also, when I change the log directory from 

- /var/log/xferlog

to

- /usr/local/data

Then I get:

  500 OOPS: failed to open xferlog log file:/usr/local/data/vsftpd.log

From this link the SOLUTION seems to be:

This happens because SELinux isn’t properly configured for your ftp service. Either disable SELinux or configure it for ftp.

To disable SELinux, edit /etc/selinux/config and set “SELINUX=disabled”, then reboot.

How do I enable ftp without disableing SElinux?

Improve this question

3 Answers 3

Reset to default
1

SELinux won't let vsftpd serve files from places other than /var/ftp or write logs outside /var/log on purpose. SELinux is all about disaster mitigation. FTP is fundamentally insecure. Running vsftpd under SELinux is a good idea, because it minimizes the damage an attacker can do if he decides to attack your FTP service.

Running a fundamentally insecure service like vsftpd without locking it down with SELinux is foolish.

If you absolutely must reconfigure it like this, you need to rewrite the FTP related SELinux policies, but that's not a trivial job. The audit2allow tool can help.

If you decide that disabling SELinux is too risky and building a new SELinux policy is too difficult, I'd recommend using SFTP or scp instead. RHEL ships with sshd configured and running, so you don't have to do anything special to get this working.

Improve this answer
1

You can usually find selinux denials in /var/log/messages. Try this (as root):

grep avc /var/log/messages | grep ftp

Review the output and decide whether the denials are erroneous, given your desired configuration. Tune the grep statements as necessary to whiddle the information down to only the statements you want to fix. It's often useful to temporarily put the system in permissive mode (setenforce 0), then perform the operations you expect to need. /var/log/messages will amass a list of errors that need to be fixed in your SELinux policy. Once you're satisfied with the list of denials that need to be fixed, generate a new policy using the following:

# ensure you have audit2allow
which audit2allow

# if no audit2allow, install it:
yum install policycoreutils-python

# replace the following with your tuned grep (if necessary)
grep avc /var/log/message | grep ftp | audit2allow -M my_vsftp

In your current directory, there will be two new files: my_vsftp.te and my_vsftp.pp. the *.te file is readable, the *.pp is compiled. Review the *.te file to ensure it is appropriate.

Be careful here, as opening up too many SELinux rules can leave you vulnerable. It is highly recommended to read up on SELinux.

cat my_vsftp.te

If the policy looks appropriate, install and activate it:

mkdir /usr/share/selinux/packages/my_vsftp
mv my_vsftp.* /usr/share/selinux/packages/my_vsftp/
semodule -i /usr/share/selinux/packages/my_vsftp/my_vsftp.pp

Ensure the system is enforcing (getenforce, setenforce 1), and test your FTP server, monitoring /var/log/messages for denials.

Improve this answer
0

A slightly heavy-handed solution to allow vsftpd access anywhere, would be:

setsebool -P allow_ftpd_full_access=1

At that point, vsftpd can go pretty much anywhere on the system...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.