7.2 Configuring vsftpd

Next: 8 Specification of Simplified Up: 7 Example Previous: 7.1 Adding policy to Contents

Subsections

7.2 Configuring vsftpd

As an example of configuration of daemon for that policy is not prepared, let's configure vsftpd using simplified policy. In this example, configure Anonymous ftp access.
By default, the domain of vsftpd is initrc_t . initrc_t is a domain for scripts under /etc/rc.d . vsftpd is executed by /etc/rc.d/init.d/vsftpd(the domain is initrc_t) and inherits the domain.
However, this is not secure. Because initrc_t has a lots of access rights(see /etc/selinux/seedit/src/policy/simplified_policy/initrc_t.a ).
In following current directory is /etc/selinux/seedit/src/policy, and permissive mode

login: root
....
# newrole -r sysadm_r
# id -Z
root:sysadm_r:sysadm_t
# cd  /etc/selinux/seedit/src/policy
# setenforce 0

And for detail of syntax, see 8 .

7.2.1 Create domain for vsftpd

Let's give vftpd vsftpd_t domain.

Create configuration file
Create simplified_policy/vsftpd_t.a .
Configure domain transition
In simplified_policy/vsftpd_t.a write following.
```
# simplified_policy/vsftpd_t.a
{
domain vsftpd_t;
domain_trans initrc_t /usr/sbin/vsftpd;
}
```
In line 2, you've defined domain vsftpd_t. In line 3, you've configured domain transition, parent domain is initrc_t, entry point is /usr/sbin/vsftpd.

7.2.2 Test domain transition

When you edit configuration, you must use make command to indicate kernel change of configuration(See 5.3). In this case, type as below.

# make diffrelabel

Usually make diffrelabel is enough.
Restart vsftpd and check the domain of vsftpd.

# /etc/init.d/vsftpd restart
# ps -eZ
...
root:system_r:vsftpd_t          13621 pts/1    00:00:00 vsftpd
...

You can see that the domain of vsftpd is vsftpd_t. Domain transition is successful.

7.2.3 Protect files related to vsftpd

Protect files related to vsftpd
If you want to protect files related to domain, the best way is deny in global. In this case, let's protect /etc/vsftpd and /var/ftp. Add following in simplified_policy global. Note you have to add between { and }.

# In simplifed_policy/global
deny /etc/vsftpd;
deny /var/ftp;

And

# make diffrelabel

As a result, if some domain want to access /etc/vsftpd and /var/ftp, it must be allowed explicitly. e.g: If httpd_t want to read /etc/vsftpd, allow /etc/vsftpd r; must be described in httpd_t, if allow /etc r; is described, access to /etc/vsftpd is not allowed. deny is useful to mark important files.

7.2.4 Give access rights to vsftpd_t

The default access right for vsftpd_t is inherited from simplified_policy/global. It is not enough, you have to add configuration. The best way to know what is necessary is to test vsftpd on permissive mode and see SELinux log. Then use audit2spdl -a -l command(Detail is skipped in this document) Below is a policy for vsftpd_t.

# simplifed_policy/vsftpd_t.a
     1  {
     2  domain vsftpd_t;
     3  domain_trans initrc_t /usr/sbin/vsftpd;
     4  # access to files related to vsftpd
     5  allow /etc/vsftpd r,s;
     6  allow /var/ftp r,s;
     7  allowonly /var/log r,w,s;
     8  # allow to communicate with syslog
     9  allow dev_log_t r,w,s;
    10  allowcom -unix syslogd_t;
    11  # allow to use tcp 20 and 21
    12  allownet;
    13  allownet -connect;
    14  allownet -tcp -port 20;
    15  allownet -tcp -port 21;
    16  #
    17  allowadm chroot;
    18  }

After writing this,

# make diffrelabel

Let's review the file.

Line 5 to 7
These are configuration to access files related to vsftpd. In line 5 and 6, giving access rights to read vsftpd configuration files and ftp public directory.
Pay attention to line 7.
```
allowonly /var/log r,w,s;
```
In this, we want to allow to write /var/log/xferlog. If we could configure,
```
allow /var/log/xferlog r,w,s;
```
this would be the best. However, /var/log/xferlog may be deleted by administrater, and when re-created the SELinux label information is lost. So we can not control access to /var/log/xferlog. So we used allowonly /var/log r,w,s. In this vsftpd_t can write all files on /var/log/, but can not write files on child directories. This is better than allow /var/log r,w,s;(This allows write access to all files under /var/log including child directories). Similally, for /tmp, /var/run, you can not controll access per-file, in those directories, files are deleted and re-created, SElinux label information may be lost.
If you have a enough knowledge of SELinux, you can use allow file exclusive label; This configures SELinux's file type transition. You can configure access control to files that are deleted and re-created. For detail see 8.8.1.
Line 9,10
Those are to communicate syslogd. If you want to communicate with syslogd, always include these two lines.
Line 12-15
These are to communicate via tcp 20 and 21.

7.2.5 Give access rigths to initrc_t

initrc_t is a type for start up script(/etc/init.d/vsftpd). This requires read access to /etc/vsftpd. But access to this file is denied in global, so you have to allow explicitly.

#add to simplified_policy/initrc_t.a
allow /etc/vsftpd r,s;

Then,

# make diffrelabel

7.2.6 Test again

Test in permissive mode and see access log. If no deny is outputted, then test in enforcing mode.

Next: 8 Specification of Simplified Up: 7 Example Previous: 7.1 Adding policy to Contents

2006-02-27