Modify SELinux settings so that vsftp runs normally in enforcing Security enhance mode.

Reprinted: http://www.ppkj.net/tag/selinux/

I opened SELinux and the firewall, but I did not expect the problem of vsftp. FTP logon error: 500 Oops: cannot change directory. Let's take a look at the Causes and Countermeasures for this problem.

First, analyze the cause of the conflict:
1. to lock the user in the home directory, open chroot_local_user in vsftpd. conf.
In this way, the FTP logon user's "/" is the home path in passwd, such as/var/www/a.com /. Avoid ftp users running to/etc. Once this is done, the FTP will automatically execute CWD/var/www/html/www.xxx.com upon login, and set this directory as the root directory of the FTP process, and the user will not be able to leave.

VI/etc/vsftpd. conf # You may specify an explicit list of local users to chroot () to their home
# Directory. If chroot_local_user is yes, then this list becomes a list
# Users to not chroot ().
Chroot_local_user = Yes
# Chroot_list_enable = Yes
# (Default follows)
# Chroot_list_file =/etc/vsftpd/chroot_list
# Of course, you can also use the chroot_list_enable = Yes method. However, it is very troublesome to specify the FTP user name in chroot_list one by one. It is also prone to omissions. We recommend that you use chroot_local_user.

2. Next, the problem arises. After SELinux is enabled, SELinux will prevent FTP daemon from reading the user's home directory. Therefore, FTP will output "500 Oops: cannot change directory ". Unable to enter directory, error exited.

There are two solutions:

1. Reduce SELinux security level and enforcing to permissive

VI/etc/sysconfig/SELinux # This file controls the state of SELinux on the system.
# SELinux = can take one of these three values:
# Enforcing-SELinux security policy is enforced.
# Permissive-SELinux prints warnings instead of enforcing.
# Disabled-SELinux is fully disabled.
SELinux = permissive

In this case, the FTP login function is normal. However, it is not the best solution to solve a small problem at the cost of reducing overall system security.

2. After research, another more ideal method has been found. First, check the FTP setting status in SELinux:

Getsebool-A | grep ftpallow_ftpd_anon_write --> off
Allow_ftpd_full_access --> off
Allow_ftpd_use_cifs --> off
Allow_ftpd_use_nfs --> off
Allow_tftp_anon_write --> off
Ftp_home_dir --> off
Ftpd_connect_db --> off
Ftpd_disable_trans --> on
Ftpd_is_daemon --> on
Httpd_enable_ftp_server --> off
Tftpd_disable_trans --> off

After trying to find out, open ftp_home_dir or ftpd_disable_trans. Can achieve the enforcing level, allow ftp normal login effect.

Setsebool-P ftpd_disable_trans 1
Or
Setsebool-P ftp_home_dir 1 setsebool-P allow_ftpd_full_access 1 service vsftpd restart

Adding-P is the Save option. You do not need to re-execute this command every time you restart. Finally, do not forget to modify SELinux = enforcing in/etc/sysconfig/SELinux.