[CentOS] selinux allow FTP

Tue Mar 3 21:30:18 UTC 2015
Brian Mathis <brian.mathis+centos at betteradmin.com>

On Tue, Mar 3, 2015 at 2:33 PM, Les Mikesell <lesmikesell at gmail.com> wrote:

> On Mon, Mar 2, 2015 at 4:43 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
> >>
> >> errr, I meant,   sftp, not rscp
> >
> >
> > Heh.. yeah. But the client isn't gonna go for that. LOL. Any way to allow
> > regular ol' FTP using SELinux? Or does that just defeat the purpose of
> > having a secure SELlinux server entirely?
>
> What is the context here?   The big problem with ftp is that it passes
> the user credentials in the clear. There is nothing particularly wrong
> with an anonymous ftp download area where the files are put in place
> with something more secure - but it is usually easier to use http for
> that and you'll have less trouble with firewalls.
>
> --
>    Les Mikesell
>       lesmikesell at gmail.com
>


Enough about FTP vs SFTP.  This is exactly the kind of unhelpful discussion
that I was referring to last month about the conversations on this list.
CentOS is an *enterprise* distribution and as such it would be expected
that people are either bound by corporate restrictions, or have some other
requirements that you're not aware of.  A single helpful comment reminding
someone that they should be using SFTP instead of FTP is the only
appropriate thing to be saying here, not this dead-horse-beating.

So to actually address the stated problem... I don't know about proftpd,
but there's a page here that discusses getting it working with selinux:
    http://selinuxproject.org/page/FTPRecipes
and I'm sure that clicking this link will lead you to other helpful
documents:
    https://www.google.com/search?q=proftpd+selinux+centos+7

It does require that you have an understanding of selinux, and are not just
looking for a magic incantation to make it work.  You can look at the audit
log in /var/log/audit to get an idea of what is failing, and also the
'audit2why' and 'audit2allow' commands can help to suggest what selinux
settings need to be changed or are getting in the way.


P.S. FTP is not secure, so you should try to use SFTP if you are able to
influence the requirements.

❧ Brian Mathis
@orev