Data created thru VSFTPD not inheriting SELinux contexts.

Support for security such as Firewalls and securing linux
Post Reply
jpbarrios
Posts: 1
Joined: 2016/04/02 16:29:24

Data created thru VSFTPD not inheriting SELinux contexts.

Post by jpbarrios » 2016/04/02 16:33:46

Hello all!

Our company has a webserver with CentOS 7 and our customers manage their websites through FTP (vsftpd). SELinux is in enforcing mode.

The issue is that data created/uploadad through VSFTPD is not inheriting the appropriate SELinux context. Let me explain.

For example, for WordPress sites the server has, out of the box, already a couple of rules that can be seen using semanage fcontext -l |grep '/var/www', which are:

/var/www/html(/.*)?/uploads(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0

So, when I copy a WordPress site let's say from another server into a directory in /var/www/html/ by SSH, the folders wp-content/ and wp-content/uploads/ have the proper httpd_sys_rw_content_t security context. HOWEVER, when those folders are created through FTP, the context they get is httpd_sys_content_t (no rw). This means that the sites our customers upload to the server can't write into those directories even if they give write permissions to the apache user/group, so the WordPress admin doesn't work properly. So, when they upload a site they have to request support from us to fix this, which is a waste of time for all involved.

Let's say the customer uploaded their site into httpdocs, if through SSH I do mv httpdocs/ httpdocs.2/ && cp -pr httpdocs.2/ httpdocs/ && rm httpdocs.2/ -fr the issue is solved, so there's nothing wrong with the data.

I can also do restorecon -Rv httpdocs/ to have the issue fixed.

So, the question is: How can I have the directories created/uploaded through VSFTPD inherit the proper SELinux contexts just like they are inherited when the directories are created/uploaded through SSH?

Any help would be much appreciated.

Thanks!

aks
Posts: 2908
Joined: 2014/09/20 11:22:14

Re: Data created thru VSFTPD not inheriting SELinux contexts

Post by aks » 2016/04/03 18:14:13

You seem to be talking about a transition policy problem.
Have a look at http://serverfault.com/questions/767672 ... xts/767768 to see if it helps.

Post Reply

Return to “CentOS 7 - Security Support”