boolean wont let me put files via vsftpd

Support for security such as Firewalls and securing linux
Post Reply
The.Ex-pat
Posts: 37
Joined: 2019/06/21 00:07:29

boolean wont let me put files via vsftpd

Post by The.Ex-pat » 2020/12/12 02:33:56

I used this tutorial from Techmint
https://www.tecmint.com/install-ftp-server-in-centos-7/

I used the provided commands for boolean and it didn't work, I'm getting

Code: Select all

425 failed to establish connection
with selinux turned on.

I did a web search and found this command:

Code: Select all

semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"

I adjusted it for my settings and I'm still not having luck.

I know for sure it's selinux because if I set

Code: Select all

setenforce 0
the file transfer works.

Can someone point me in the correct direction please.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: boolean wont let me put files via vsftpd

Post by TrevorH » 2020/12/12 03:02:18

Run aureport -a after running in permissive mode and attempting the access. Look at the lines timestamped around the time you ftp'ed in. Take the number off the right hand end of the aureport -a lines in question and feed that into ausearch -a nnnn (changing nnnn to match). Those tell you what was denied and why. Hopefully when you ran the semanage command, /myftp/pub matched your ftp root directory and if not then that's why it didn't work.

There are probably rules already in place to allow ftp access to the default /var/ftp/pub directory and it might just be easier to use that.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

The.Ex-pat
Posts: 37
Joined: 2019/06/21 00:07:29

Re: boolean wont let me put files via vsftpd

Post by The.Ex-pat » 2020/12/12 03:21:32

TrevorH wrote:
2020/12/12 03:02:18
Run aureport -a after running in permissive mode and attempting the access. Look at the lines timestamped around the time you ftp'ed in. Take the number off the right hand end of the aureport -a lines in question and feed that into ausearch -a nnnn (changing nnnn to match). Those tell you what was denied and why. Hopefully when you ran the semanage command, /myftp/pub matched your ftp root directory and if not then that's why it didn't work.

There are probably rules already in place to allow ftp access to the default /var/ftp/pub directory and it might just be easier to use that.
When I ran the semanage command I rand it for the user

Code: Select all

~/home/username

The.Ex-pat
Posts: 37
Joined: 2019/06/21 00:07:29

Re: boolean wont let me put files via vsftpd

Post by The.Ex-pat » 2020/12/12 03:23:20

The.Ex-pat wrote:
2020/12/12 03:21:32
TrevorH wrote:
2020/12/12 03:02:18
Run aureport -a after running in permissive mode and attempting the access. Look at the lines timestamped around the time you ftp'ed in. Take the number off the right hand end of the aureport -a lines in question and feed that into ausearch -a nnnn (changing nnnn to match). Those tell you what was denied and why. Hopefully when you ran the semanage command, /myftp/pub matched your ftp root directory and if not then that's why it didn't work.

There are probably rules already in place to allow ftp access to the default /var/ftp/pub directory and it might just be easier to use that.
When I ran the semanage command I rand it for the user

Code: Select all

~/home/username
When I run the put command with selinux off, the file ends up in the correct location.
I'll try to sort it out with the other command you gave me.

The.Ex-pat
Posts: 37
Joined: 2019/06/21 00:07:29

Re: boolean wont let me put files via vsftpd

Post by The.Ex-pat » 2020/12/12 03:33:28

I ran

Code: Select all

ausearch -a 248

Code: Select all

time->Fri Dec 11 17:07:01 2020
type=PROCTITLE msg=audit(1607724421.783:248): proctitle=2F7573722F7362696E2F69707461626C65732D726573746F7265002D77002D6E
type=SYSCALL msg=audit(1607724421.783:248): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe96380 a2=b770f000 a3=b0 items=0 ppid=844 pid=29443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1607724421.783:248): table=raw family=2 entries=27
----
time->Fri Dec 11 17:32:02 2020
type=PROCTITLE msg=audit(1607725922.392:248): proctitle=2F7573722F7362696E2F6970367461626C65732D726573746F7265002D77002D6E
type=SYSCALL msg=audit(1607725922.392:248): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf928780 a2=b7703000 a3=e4 items=0 ppid=814 pid=16988 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1607725922.392:248): table=security family=10 entries=13
----
time->Fri Dec 11 18:33:10 2020
type=PROCTITLE msg=audit(1607729590.716:248): proctitle=2F7573722F7362696E2F6970367461626C65732D726573746F7265002D77002D6E
type=SYSCALL msg=audit(1607729590.716:248): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb79a40 a2=b76d1000 a3=e4 items=0 ppid=813 pid=1628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1607729590.716:248): table=filter family=10 entries=85
----
time->Fri Dec 11 21:25:55 2020
type=PROCTITLE msg=audit(1607739955.948:248): proctitle=2F7573722F7362696E2F767366747064002F6574632F7673667470642F7673667470642E636F6E66
type=SYSCALL msg=audit(1607739955.948:248): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff136f0 a2=508a70 a3=1c items=0 ppid=1187 pid=1681 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1607739955.948:248): avc:  denied  { name_connect } for  pid=1681 comm="vsftpd" dest=63769 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

The.Ex-pat
Posts: 37
Joined: 2019/06/21 00:07:29

Re: boolean wont let me put files via vsftpd

Post by The.Ex-pat » 2020/12/12 03:47:35

I just tried again to make sure the command is pulling the correct info.

Code: Select all

time->Fri Dec 11 22:45:12 2020
type=PROCTITLE msg=audit(1607744712.846:319): proctitle=2F7573722F7362696E2F767366747064002F6574632F7673667470642F7673667470642E636F6E66
type=SYSCALL msg=audit(1607744712.846:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff136f0 a2=508a70 a3=1c items=0 ppid=1187 pid=1810 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1607744712.846:319): avc:  denied  { name_connect } for  pid=1810 comm="vsftpd" dest=64273 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
This is it, I can't make heads or tails of it.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: boolean wont let me put files via vsftpd

Post by aks » 2020/12/12 08:19:44

First guess would be setsebool ftpd_connect_all_unreserved 1 (then if that works pass the -P to make it permanent). A bit like using a jack hammer to remove a nail....

The.Ex-pat
Posts: 37
Joined: 2019/06/21 00:07:29

Re: boolean wont let me put files via vsftpd

Post by The.Ex-pat » 2020/12/12 21:07:35

aks wrote:
2020/12/12 08:19:44
First guess would be setsebool ftpd_connect_all_unreserved 1 (then if that works pass the -P to make it permanent). A bit like using a jack hammer to remove a nail....
This solution worked for me. I followed up by passing -P and rebooting. I'm having proper function.

Thank you everyone.

Post Reply