fcontext

RHEL6 – How to Setup an Anonymous Download Only FTP Server

/ Christopher Paquin / Leave a comment

Sticker,375x360A while back I spit out a post on how to configure an anonymous ftp server that allowed uploads and downloads, which you can find here.

Its a very exciting read and will tell you everything that you need to know to get you up and running with an anonymous ftp server. However those instructions are specifically for a server that allows anonymous uploads as well as downloads. So today we are going to go over only the steps for anonymous download, which is actually much easier.

Basic Install & Configuration

So first lets install vsftp.

# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on

Then edit /etc/vsftp/vsftpd.conf and make sure that the following line is uncommented.

anonymous_enable=YES

You should also be aware of the following configuration directive. By setting local enable to no in /etc/vsftp/vsftpd.conf, you disallow local Unix users access to ftp, which ensures that your ftp server is truly anonymous only.

local_enable=no

Now restart vsftpd and you should be in business

Testing Anonymous Download

To test ftp you need an ftp client, which can be installed via yum as seen below.

yum -y install ftp

Then you should be able to ftp to localhost like as seen below and get a file. Note that an anonymous login does not a password

# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,170,125).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 30 15:37 pub
-rw-r–r–    1 0        0               0 Aug 30 15:39 test2
-rw-r–r–    1 0        0               0 Aug 30 15:38 testfile
226 Directory send OK.
ftp> get test2

The same test executed as root ( a local user) should fail as seen below.

# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): root
530 This FTP server is anonymous only.
Login failed.
ftp>

Unix File Permissions and SELinux

One of the things that can ruin your day when it comes to getting and ftp server up and running is SELinux. However when setting up an anonymous download ftp server using the default ftp root directory you don’t actually need to change anything.

By default your ftp root directory is going to be /var/ftp/, and its SELinux context and default perms are going to be as seen below.

drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp

Here the default context is public_content_t which by allows reads but not writes, and the default Unix perms allow reads and not writes.

Changing Default FTP Root Directory

If you wanted to change anonymous vsftp to use a different root directory (other than /var/ftp) you would need to add the following line to /etc/vsftpd/vsftpd.conf. In the example below I am setting my new ftp root to /shared/ftp

anon_root=/shared/ftp

You are also going to need to asign the correct SELinux file context (public_content_t) to your new directory.

# semanage fcontext -a -t public_content_t “/shared/ftp(/.*)?”

# restorecon -vvFR /shared/ftp

Configuration Differences Between Anon Upload and Download

So as I stated above its actually a bit easier to configure an anonymous download only ftp server, than it is to configure it to allow uploads as well.  This section for reference only, my post on configuring anonymous upload and download ftp server can be reference here.

First you will need to assign a different SELinux context. Its public_content_rw_t not public_content_t.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp(/.*)’

# restorecon -vvFR /var/ftp

You will also need to fiddle with SELinux booleans

# setsebool -P allow_ftpd_anon_write=1

And we are also going to want to change the Unix permissions on our ftp root directory. Here we are changing group ownership to ftp and setting the setgid bit.

# chgrp ftp /var/ftp/
# chmod 2760 /var/ftp

Good luck and try not to break anything.

SELinux – Invalid Regex in /etc/selinux/targeted/contexts/files/file_context

/ Christopher Paquin / Leave a comment

EnikSo I have been doing my best to better understand SELinux as of late, and last night when I was practicing I ran into an issue that had me banging my head against by desk.

Specifically I was playing around with the semanage command and working on defining a particular context to a directory that I had just created. However I was not exactly quite sure of the exact regex to use (or even if I needed to use a regex)

The specific command that I ran was…

#semanage fcontext -a -t httpd_sys_content_t /var/www2

Now my concern was that this was not the correct command for me to run since www2 was a directory and I wanted to make sure that appropriate SELinux contexts were applied recursively as new files/directories were created. So I ran the following command that I found in my RHEL book.

#semanage fcontext -a -t httpd_sys_content_t ‘/var/www2/html(*,/)’

which spits out this….

/etc/selinux/targeted/contexts/files/file_contexts.local:  line 13 has invalid regex /var/www2/html(*,/):  Invalid preceding regular expression

Oops, wait I entered the command wrong. Its a period and the end not a comma, so I run the command again with a period this time and get the following error.

# semanage fcontext -a -t httpd_sys_content_t ‘/var/www2/html(*./)’
/etc/selinux/targeted/contexts/files/file_contexts.local:  line 13 has invalid regex /var/www2/html(*,/):  Invalid preceding regular expression
/etc/selinux/targeted/contexts/files/file_contexts.local:  line 14 has invalid regex /var/www2/html(*./):  Invalid preceding regular expression

Well crap, its still not correct. So I enter this command and get another error.

#semanage fcontext -a -t httpd_sys_content_t “/var/www2/html(/.*)?

So at this point I start running all sorts of variations of the command with minor syntax changes each time, each time getting an error and each time getting more and more frustrated thinking that I am still not running the command correctly.

However this is not actually the case.

After I take a step back and cool off I actually take the time to read the error message which is pointing me t the file, file_contexts.local. Which upon further inspection actually contains each and every regex that I just ran regardless of the fact that the regex was correct.

# cat /etc/selinux/targeted/contexts/files/file_contexts.local | grep www2
/var/www2    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(/,*)?    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(/,*)    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html    system_u:object_r:httpd_sys_content_t:s0
/var/www2(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(*,/)    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(*./)    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(/.*)?    system_u:object_r:httpd_sys_content_t:s0

In a nutshell.. the semanage command added each and context to file/directory mapping despite the fact that my regex was not correct, and then it gave me an error. So each time I ran the command with the an invalid regex, another entry was added and the error message grew. One would think that it would detect the regex error first and not add it to the file.

Anwyway the fix was to identify all the bad lines in the file from the error message and run the following command against each entry.

#semanage fcontext -d “/var/www2/html(*,/)?”

Once I cleaned out the file of the offending entries I was able to run the command one last time, this time using the correct syntax and was error free

RHEL6 – Using Semanage and Restorecon to Modify SELinux File Contexts

/ Christopher Paquin / Leave a comment

Potty TrainingOk, how to keep this simple? Lets see…

Semanage:

Ok, semanage, when used with the fcontext argument, is used to define SELinux file contexts for file. It basically adds the new definition to the file,  /etc/selinux/targeted/contexts/files/file_contexts.

For example lets say that I create a new file called /root/foobar.

Using the command below I can see the default context that is assigned to a file created in /root

# ls -lZ foobar
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 foobar

Now lets say that I want to change the context of this file to public_content_t.  The first step to accomplish this is to define its new context.

# semanage fcontext -a -t public_content_t /root/foobar

Restorecon:

Now that the context type is defined we need to actually modify the current context of our file. So now you run restorecon against the file to actually make the change. Note: use -v for verbose.

# restorecon -v /root/foobar

restorecon reset /root/foobar context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:public_content_t:s0

Chcon:

There is also a command called chcon, that can also be used to change the defined context for a file. However I advise against using it as changes made using chcon will not survive a filesystem relabel. What is a filesystem relabel? Well according to wiki.centos.org, a relabel is defined below.

“Sometimes it is necessary to relabel the complete filesystem although this should only be necessary when enabling SELinux after it has been disabled or when changing the SELinux policy from the default targeted policy to strict.”