CentOS 7 - Directories created through VSFTPD not inheriting SELinux contexts

linux centos vsftpd selinux

Solution 1:

There is a difference between default labelling that occurs at runtime and the regular expression based post-labelling policy that applies on the server.

What you are noting here:

/var/www/html(/.*)?/uploads(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)?               all files         system_u:object_r:httpd_sys_rw_content_t:s0

Is the post labelling policy.

What you discuss in your problem actually relates to the runtime policy.

When a entry is created in a directory using SELinux the rules governing what label the file or directory ends up being are not dictated by the regular expressions you quote but other rules as follows (I believe this is the correct order but might have missed something).

  1. There is a explicit named type_transition rule.
  2. There is a explicit non-named type_transition rule.
  3. Inherit the same context as the parent directory.
  4. Apply the default_context.

So, when I copy a WordPress site let's say from another server into a directory in /var/www/html/ by SSH, the folders wp-content/ and wp-content/uploads/ have the proper httpd_sys_rw_content_t security context.

So, yes it does do this, but not for the reason you think it does. Certainly not because of the post labelling policy.

This occurs because a specific named type_transition rule exists which provides this behaviour.

$ sesearch -C -T -s unconfined_t -t httpd_sys_content_t -c dir

Found 4 named file transition filename_trans:
type_transition unconfined_t httpd_sys_content_t : dir httpd_sys_rw_content_t "wp-content"; 
type_transition unconfined_t httpd_sys_content_t : dir httpd_sys_rw_content_t "smarty"; 
type_transition unconfined_t httpd_sys_content_t : dir httpd_sys_rw_content_t "uploads"; 
type_transition unconfined_t httpd_sys_content_t : dir httpd_sys_rw_content_t "upgrade";

This is basically saying.

  • If you are unconfined_t and
  • If you are performing an action in the target type httpd_sys_content_t and
  • If the class of the new entry is a directory and
  • If the name of the new entry is "uploads" then
  • The new type is httpd_sys_rw_content_t

The reason this works for SSHD is because after you have logged in you are being given the source context of unconfined_t for which this rule applies.

This does not work for the FTP service because the source context of this service is most likely ftpd_t which has no matching rule.

As such, you'd need to modify the policy to alter the behaviour of SELinux to also honour the named file rulings you see in the other entries for FTP too.

In Fedora 23 at least, there exists a interface to permit this, a policy module like this would do it.

policy_module(local_ftpd, 7.2.0)

require {
  type ftpd_t;
}

apache_filetrans_named_content(ftpd_t)

You can load this by ensuring that the selinux-policy-devel package is installed and running make -f /usr/share/selinux/devel/Makefile load.

Related

Why is `zfs list -t snapshot` orders of magnitude slower than `ls .zfs/snapshot`?
Static IP with "kubectl expose" on Google Container Engine stays in <pending> state forever
Network Manager: failover between two default gateways
WSUS difference between Windows 10 and Windows 10 GDR-DU Products
Resolving a CNAME - who looks up subsequent A record - resolver or server?
DEFROUTE vs GATEWAY in RHEL7
How to repair a broken-resized qcow2 disk image for libvirt/kvm?
How to use variables in a systemd service file?
How to backup a s3 bucket to the glacier?
IPoIB (IP over InfiniBand) vs. RDMA performance
Optimal RAID 6+0 Setup for 40+ 4TB Disks
Azure Site Recovery unplanned failover