-.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
+.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
.SH "NAME"
-ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
+.PP
+ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the ftpd server via flexible mandatory access
-control.
+.PP
+Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
-.TP
-chcon -R -t public_content_t /var/ftp
-.TP
-If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
-.TP
-chcon -t public_content_rw_t /var/ftp/incoming
+.PP
+SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
.TP
-You must also turn on the boolean allow_ftpd_anon_write.
+Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
+.PP
+.B
+semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
.TP
-setsebool -P allow_ftpd_anon_write=1
+.B
+restorecon -R -v /var/ftp
.TP
-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
+Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
+.PP
+.B
+semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
.TP
-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
-/var/ftp(/.*)? system_u:object_r:public_content_t
-/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
+.B
+restorecon -R -v /var/ftp/incoming
.SH BOOLEANS
-SELinux ftp daemon policy is customizable based on least access required. So by
-default SElinux does not allow users to login and read their home directories.
-.br
-If you are setting up this machine as a ftpd server and wish to allow users to access their home
-directorories, you need to set the ftp_home_dir boolean.
+.PP
+SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
.TP
-setsebool -P ftp_home_dir 1
+Allow ftp servers to read and write files with the public_content_rw_t file type.
+.PP
+.B
+setsebool -P allow_ftpd_anon_write on
.TP
-ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
+Allow ftp servers to read or write files in the user home directories.
+.PP
+.B
+setsebool -P ftp_home_dir on
.TP
-setsebool -P ftpd_is_daemon 1
-.br
-service vsftpd restart
+Allow ftp servers to read or write all files on the system.
+.PP
+.B
+setsebool -P allow_ftpd_full_access on
+.TP
+Allow ftp servers to use cifs for public file transfer services.
+.PP
+.B
+setsebool -P allow_ftpd_use_cifs on
+.TP
+Allow ftp servers to use nfs for public file transfer services.
+.PP
+.B
+setsebool -P allow_ftpd_use_nfs on
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
+.PP
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
-selinux(8), ftpd(8), chcon(1), setsebool(8)
-
+.PP
+selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
.EX
httpd_sys_content_t
.EE
-- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
+- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
.EX
httpd_sys_script_exec_t
.EE
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
.EX
-httpd_sys_script_ro_t
+httpd_sys_content_rw_t
.EE
-- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
+- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
.EX
-httpd_sys_script_rw_t
+httpd_sys_content_ra_t
.EE
-- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
-.EX
-httpd_sys_script_ra_t
-.EE
-- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
+- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
.EX
httpd_unconfined_script_exec_t
.EE
projects / people / stevee / selinux-policy.git / commitdiff
