Modify the SELinux settings to make the vsftp work in enforcing security enhance mode __linux

Reprint: http://www.ppkj.net/tag/selinux/

Opened the SELinux and firewalls, did not expect to lead to the problem of vsftp. FTP Login Error: Oops:cannot change directory. Let's look at the causes and countermeasures for this problem.

First, analyze the causes of the conflict:
1. To lock the user in their home directory, open the Chroot_local_user in vsftpd.conf.
So the ftp login user's "/" is the passwd in the home path, such as/var/www/a.com/. Prevent FTP users from running to/etc. This set up, FTP login, will automatically execute cwd/var/www/html/www.xxx.com, and the directory set as the root directory of the FTP process, users can not leave. vi/etc/vsftpd/vsftpd.conf# you specify a explicit list of local users to Chroot () to their home
# directory. If Chroot_local_user is YES, then this list becomes a list of
# users to not Chroot ().
Chroot_local_user=yes
# Chroot_list_enable=yes
# (default follows)
# chroot_list_file=/etc/vsftpd/chroot_list
# Of course, you can also use the Chroot_list_enable=yes method. However, it is troublesome to specify the FTP username individually in chroot_list. Also prone to omissions. So it is recommended to use Chroot_local_user to limit.

2. Below, the problem comes out. When SELinux is turned on, SELinux prevents the FTP daemon from reading the user's home directory. So FTP will throw out a sentence of "Oops:cannot change directory." Unable to enter directory, error exiting.

There are two solutions:

1. Reduce the SELinux security level and lower the enforcing to permissive vi/etc/sysconfig/selinux# this file controls the "State of SELinux" on the system.
# selinux= can take one of these three values:
# Enforcing-selinux security policy is enforced.
# Permissive-selinux Prints warnings instead of enforcing.
# Disabled-selinux is fully disabled.
Selinux=permissive

At this time the FTP login function is normal. But reducing overall system security as a cost to solve a small problem is not always the best solution.

2. As a result of the study, another more desirable approach was found. First look at the setting status for FTP in SELinux: Getsebool-a|grep ftpallow_ftpd_anon_write--> off
Allow_ftpd_full_access--> off
Allow_ftpd_use_cifs--> off
Allow_ftpd_use_nfs--> off
Allow_tftp_anon_write--> off
Ftp_home_dir--> off
ftpd_connect_db--> off
Ftpd_disable_trans--> on
Ftpd_is_daemon--> on
Httpd_enable_ftp_server--> off
Tftpd_disable_trans--> off

After trying to find out, open Ftp_home_dir or Ftpd_disable_trans. Can be achieved at the enforcing level, allowing FTP to log on to the normal effect. Setsebool-p Ftpd_disable_trans 1
Or
Setsebool-p Ftp_home_dir 1 setsebool-p allow_ftpd_full_access 1 service vsftpd restart

Plus-P is the Save option, and you do not have to redo this command every time you reboot. Finally, don't forget to modify the selinux=enforcing in the/etc/sysconfig/selinux.