Page 1 of 1

boolean wont let me put files via vsftpd

Posted: 2020/12/12 02:33:56
by The.Ex-pat
I used this tutorial from Techmint
https://www.tecmint.com/install-ftp-server-in-centos-7/

I used the provided commands for boolean and it didn't work, I'm getting

Code: Select all

425 failed to establish connection
with selinux turned on.

I did a web search and found this command:

Code: Select all

semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"

I adjusted it for my settings and I'm still not having luck.

I know for sure it's selinux because if I set

Code: Select all

setenforce 0
the file transfer works.

Can someone point me in the correct direction please.

Re: boolean wont let me put files via vsftpd

Posted: 2020/12/12 03:02:18
by TrevorH
Run aureport -a after running in permissive mode and attempting the access. Look at the lines timestamped around the time you ftp'ed in. Take the number off the right hand end of the aureport -a lines in question and feed that into ausearch -a nnnn (changing nnnn to match). Those tell you what was denied and why. Hopefully when you ran the semanage command, /myftp/pub matched your ftp root directory and if not then that's why it didn't work.

There are probably rules already in place to allow ftp access to the default /var/ftp/pub directory and it might just be easier to use that.

Re: boolean wont let me put files via vsftpd

Posted: 2020/12/12 03:21:32
by The.Ex-pat
TrevorH wrote:
2020/12/12 03:02:18
Run aureport -a after running in permissive mode and attempting the access. Look at the lines timestamped around the time you ftp'ed in. Take the number off the right hand end of the aureport -a lines in question and feed that into ausearch -a nnnn (changing nnnn to match). Those tell you what was denied and why. Hopefully when you ran the semanage command, /myftp/pub matched your ftp root directory and if not then that's why it didn't work.

There are probably rules already in place to allow ftp access to the default /var/ftp/pub directory and it might just be easier to use that.
When I ran the semanage command I rand it for the user

Code: Select all

~/home/username

Re: boolean wont let me put files via vsftpd

Posted: 2020/12/12 03:23:20
by The.Ex-pat
The.Ex-pat wrote:
2020/12/12 03:21:32
TrevorH wrote:
2020/12/12 03:02:18
Run aureport -a after running in permissive mode and attempting the access. Look at the lines timestamped around the time you ftp'ed in. Take the number off the right hand end of the aureport -a lines in question and feed that into ausearch -a nnnn (changing nnnn to match). Those tell you what was denied and why. Hopefully when you ran the semanage command, /myftp/pub matched your ftp root directory and if not then that's why it didn't work.

There are probably rules already in place to allow ftp access to the default /var/ftp/pub directory and it might just be easier to use that.
When I ran the semanage command I rand it for the user

Code: Select all

~/home/username
When I run the put command with selinux off, the file ends up in the correct location.
I'll try to sort it out with the other command you gave me.

Re: boolean wont let me put files via vsftpd

Posted: 2020/12/12 03:33:28
by The.Ex-pat
I ran

Code: Select all

ausearch -a 248

Code: Select all

time->Fri Dec 11 17:07:01 2020
type=PROCTITLE msg=audit(1607724421.783:248): proctitle=2F7573722F7362696E2F69707461626C65732D726573746F7265002D77002D6E
type=SYSCALL msg=audit(1607724421.783:248): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe96380 a2=b770f000 a3=b0 items=0 ppid=844 pid=29443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1607724421.783:248): table=raw family=2 entries=27
----
time->Fri Dec 11 17:32:02 2020
type=PROCTITLE msg=audit(1607725922.392:248): proctitle=2F7573722F7362696E2F6970367461626C65732D726573746F7265002D77002D6E
type=SYSCALL msg=audit(1607725922.392:248): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf928780 a2=b7703000 a3=e4 items=0 ppid=814 pid=16988 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1607725922.392:248): table=security family=10 entries=13
----
time->Fri Dec 11 18:33:10 2020
type=PROCTITLE msg=audit(1607729590.716:248): proctitle=2F7573722F7362696E2F6970367461626C65732D726573746F7265002D77002D6E
type=SYSCALL msg=audit(1607729590.716:248): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb79a40 a2=b76d1000 a3=e4 items=0 ppid=813 pid=1628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1607729590.716:248): table=filter family=10 entries=85
----
time->Fri Dec 11 21:25:55 2020
type=PROCTITLE msg=audit(1607739955.948:248): proctitle=2F7573722F7362696E2F767366747064002F6574632F7673667470642F7673667470642E636F6E66
type=SYSCALL msg=audit(1607739955.948:248): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff136f0 a2=508a70 a3=1c items=0 ppid=1187 pid=1681 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1607739955.948:248): avc:  denied  { name_connect } for  pid=1681 comm="vsftpd" dest=63769 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Re: boolean wont let me put files via vsftpd

Posted: 2020/12/12 03:47:35
by The.Ex-pat
I just tried again to make sure the command is pulling the correct info.

Code: Select all

time->Fri Dec 11 22:45:12 2020
type=PROCTITLE msg=audit(1607744712.846:319): proctitle=2F7573722F7362696E2F767366747064002F6574632F7673667470642F7673667470642E636F6E66
type=SYSCALL msg=audit(1607744712.846:319): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff136f0 a2=508a70 a3=1c items=0 ppid=1187 pid=1810 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1607744712.846:319): avc:  denied  { name_connect } for  pid=1810 comm="vsftpd" dest=64273 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
This is it, I can't make heads or tails of it.

Re: boolean wont let me put files via vsftpd

Posted: 2020/12/12 08:19:44
by aks
First guess would be setsebool ftpd_connect_all_unreserved 1 (then if that works pass the -P to make it permanent). A bit like using a jack hammer to remove a nail....

Re: boolean wont let me put files via vsftpd

Posted: 2020/12/12 21:07:35
by The.Ex-pat
aks wrote:
2020/12/12 08:19:44
First guess would be setsebool ftpd_connect_all_unreserved 1 (then if that works pass the -P to make it permanent). A bit like using a jack hammer to remove a nail....
This solution worked for me. I followed up by passing -P and rebooting. I'm having proper function.

Thank you everyone.