Hi,

I have trouble editing files with FTP which are uploaded via a website.

I have this AVC Denied,

Code: Select all

type=AVC msg=audit(1376403738.939:176742): avc:  denied  { write } for  pid=10360 comm="in.proftpd" name="Share.php" dev=dm-0 ino=1703113 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file

Code: Select all

module lclftp 1.0;

require {
        type ftpd_t;
        type httpd_sys_rw_content_t;
        class file write;
}

#============= ftpd_t ==============

#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t httpd_sys_rw_content_t:file write;


I just want to know how safe it is allow "allow_ftpd_full_access" boolean on the server.

Any help?

I have only modest knowledge on selinux but will try to answer your post.

To know more about a boolean you can use:

Code: Select all

# semanage boolean -l | grep allow_ftpd_full_access
allow_ftpd_full_access         (off  ,  off)  Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.


Of course do not forget that usual linux policies applies (e.g. user/group limitations) even when the boolean is active. So in my view this is pretty sage if you need it.

If you want to just allow access to that directory then the following solutions are possible:
- making a new module (c.f. your post);
- change the context of the directory (you would need to find a context which match both httpd and ftpd, not sure which one matches).

If you want to just allow access to that directory then the following solutions are possible:


____________________
aliii