Product SiteDocumentation Site

Chapter 15. File Transfer Protocol

15.1. FTP and SELinux
15.2. Types
15.3. Booleans
15.4. Configuration Examples
15.4.1. Uploading to an FTP site
File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.
The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. Its ability to handle large numbers of connections efficiently and securely is why vsftpd is the only stand-alone FTP distributed with Fedora.
In Fedora, the vsftpd package provides the Very Secure FTP daemon. Run the following command to see if vsftpd is installed:
~]$ rpm -q vsftpd
package vsftpd is not installed
If you want an FTP server and the vsftpd package is not installed, use the DNF utility as the root user to install it:
~]# dnf install vsftpd

15.1. FTP and SELinux

The vsftpd FTP daemon runs confined by default. SELinux policy defines how vsftpd interacts with files, processes, and with the system in general. For example, when an authenticated user logs in via FTP, they cannot read from or write to files in their home directories: SELinux prevents vsftpd from accessing user home directories by default. Also, by default, vsftpd does not have access to NFS or CIFS volumes, and anonymous users do not have write access, even if such write access is configured in the /etc/vsftpd/vsftpd.conf file. Booleans can be enabled to allow the previously mentioned access.
The following example demonstrates an authenticated user logging in, and an SELinux denial when trying to view files in their home directory. This example assumes that the vsftpd package is installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.
  1. In Fedora, vsftpd only allows anonymous users to log in by default. To allow authenticated users to log in, edit /etc/vsftpd/vsftpd.conf as root. Make sure the local_enable=YES option is uncommented:
    # Uncomment this to allow local users to log in.
    local_enable=YES
    
  2. Start the vsftpd service:
    ~]# systemctl start vsftpd.service
    Confirm that the service is running. The output should include the information below (only the time stamp will differ):
    ~]# systemctl status vsftpd.service
    vsftpd.service - Vsftpd ftp daemon
       Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
       Active: active (running) since Tue 2013-08-06 14:42:07 CEST; 6s ago
    
    If the service was running before editing vsftpd.conf, restart the service to apply the configuration changes:
    ~]# systemctl restart vsftpd.service
  3. Run the following command as the user you are currently logged in with. When prompted for your name, make sure your user name is displayed. If the correct user name is displayed, press Enter, otherwise, enter the correct user name:
    ~]$ ftp localhost
    Connected to localhost (127.0.0.1).
    220 (vsFTPd 2.1.0)
    Name (localhost:username):
    331 Please specify the password.
    Password: Enter your password
    500 OOPS: cannot change directory:/home/username
    Login failed.
    ftp>
    
  4. An SELinux denial message similar to the following is logged:
    setroubleshoot: SELinux is preventing the ftp daemon from reading users home directories (username). For complete SELinux messages. run sealert -l c366e889-2553-4c16-b73f-92f36a1730ce
    
  5. Access to home directories has been denied by SELinux. This can be fixed by activating the ftp_home_dir Boolean. Enable this Boolean by running the following command as root:
    ~]# setsebool -P ftp_home_dir=1

    Note

    Do not use the -P option if you do not want changes to persist across reboots.
    Try to log in again. Now that SELinux is allowing access to home directories using the ftp_home_dir Boolean, logging in will succeed.