SElinux, proftpd + httpd_sys_rw_content_t dir

[Burnout]

Hi,

On a CentOS (6) system, when the httpd service creates a directory, it gets the following selinux properties: "scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:httpd_sys_rw_content_t:s0 tclass=dir"

Now, this directory isn't readable or writable with proftpd. How can I give proftpd access to the directory?
Keep in mind, I don't want to turn of SElinux or edit the allow_ftpd_full_access boolean. Also I prefer to not edit the fcontext.

Thx for your feedback!


Kind regards,
Burn

 

[Burnout]

For whom it might interest, I did some investigations and managed to write the following (working) module:

module ftpd.custom 1.0;

require {
   type ftpd_t;
   type httpd_sys_rw_content_t;
   class file { create open unlink setattr };
   class dir { read add_name search rmdir getattr write create open setattr remove_name rename };
}

#============= ftpd_t ==============

#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t httpd_sys_rw_content_t:dir { create read add_name search rmdir getattr write open remove_name setattr rename };
allow ftpd_t httpd_sys_rw_content_t:file { create open unlink setattr };

If you want to use it, you need to check, compile and load it:

# checkmodule -M -m -o ftpd.custom.mod ftpd.custom.te
# semodule_package -o ftpd.custom.pp -m ftpd.custom.mod
# semodule -i ftpd.custom.pp

 

[abdi]

Hello Burnout,
Thanks for sharing ..