Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163495 - FTP-server cannot write in user's home directory
Summary: FTP-server cannot write in user's home directory
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-07-18 12:05 UTC by J.Jansen
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-07-19 15:20:41 UTC

Attachments (Terms of Use)

Description J.Jansen 2005-07-18 12:05:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; OpenVMS Digital_Personal_WorkStation_; en-US; rv:1.7.8) Gecko/20050526

Description of problem:
FTP'ing to a freshly installed FC4 system fails when trying to write in the home directory of the user (writing in a sub-directory is possible).

I do see the problem only on new FC4 installations. Upgrades from FC3 seem to work fine.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install FC4 from scratch
2.enable vsftpd
3.FTP to the machine and logon
4.FTP> put <anyfile>


Actual Results:  Error message : 553 Could not create file.

Expected Results:  File should be transfered

Additional info:

Comment 1 Radek Vokal 2005-07-19 06:11:51 UTC
Do you have selinux turned on? Check `getenforce` and also all vsfptd lines in
/var/log/messages and /var/log/audit/* 

Comment 2 J.Jansen 2005-07-19 11:41:09 UTC
Yes selinux is turned on (by default in FC4)

[root@fercelo audit]# /usr/sbin/getenforce

/var/log/messages : <no interesting lines>

/var/log/audit/* :

type=USER_AUTH msg=audit(1121772441.477:3830753): user pid=23695 uid=0 auid=500
msg='PAM authentication: user=joukj exe="/usr/sbin/vsftpd"
(hostname=, addr=, terminal=? result=Success)'
type=USER_ACCT msg=audit(1121772441.477:3830788): user pid=23695 uid=0 auid=500
msg='PAM accounting: user=joukj exe="/usr/sbin/vsftpd"
(hostname=, addr=, terminal=? result=Success)'
type=CRED_ACQ msg=audit(1121772441.477:3830804): user pid=23695 uid=0 auid=500
msg='PAM setcred: user=joukj exe="/usr/sbin/vsftpd" (hostname=,
addr=, terminal=? result=Success)'
type=AVC msg=audit(1121772441.479:3830892): avc:  denied  { search } for 
pid=23699 comm="vsftpd" name="joukj" dev=hda2 ino=5138209
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:file_t tclass=dir
type=SYSCALL msg=audit(1121772441.479:3830892): arch=40000003 syscall=12
success=no exit=-13 a0=418e6818 a1=1f4 a2=4001a524 a3=bff6cd44 items=1 pid=23699
auid=500 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1121772441.479:3830892):  cwd="/"
type=PATH msg=audit(1121772441.479:3830892): item=0 name="/home/joukj" flags=3 
inode=5138209 dev=03:02 mode=040755 ouid=500 ogid=500 rdev=00:00

Comment 3 Radek Vokal 2005-07-19 11:52:31 UTC
This is a policy issue. You can disable all ftp daemon protection in
system-config-securitylevel -> SELinux or the default targeted policy have to be

Comment 4 J.Jansen 2005-07-19 14:34:28 UTC
Strange that you have to disable all protection while the box "enable read/write
in users home directory" is already selected.

Anyway, it works now.

Comment 6 Daniel Walsh 2005-07-19 15:20:02 UTC
You need to turn on the ftp_home_dir boolean.

man ftpd_selinux 
       SELinux  ftp  daemon  policy  is  customizable  based  on  least access
       required.  So by default SElinux does not allow users to login and read
       their home directories.
       If  you  are setting up this machine as a ftpd server and wish to allow
       users  to  access  their  home  directorories,  you  need  to  set  the
       ftp_home_dir boolean.

       setsebool -P ftp_home_dir 1

Note You need to log in before you can comment on or make changes to this bug.