I want to set up a user to be jailed to a specific home directory, but
SELinux seems to be the problem. If I turn it off, no problem. I ran
audit2allow and installed the module, now there are no AVC denials, but
proftpd still complains "directory /home/attvoicetone is not accessible"

Here is some more info ...


module proftpd 1.0;

require {
type unconfined_t;
type var_run_t;
type home_root_t;
type var_t;
type user_home_dir_t;
type ftpd_t;
type user_home_t;
type xferlog_t;
class dir { write getattr read search };
class file { write read getattr append };
class key search;

#============= ftpd_t ==============
allow ftpd_t home_root_t:dir { getattr search };
allow ftpd_t unconfined_t:key search;
allow ftpd_t user_home_dir_t:dir read;
allow ftpd_t user_home_t:dir { read getattr search };
allow ftpd_t user_home_t:file { read getattr };
allow ftpd_t var_run_t:file write;
allow ftpd_t var_t:file append;
allow ftpd_t xferlog_t:dir write;

[root@voicetone2 selinux.local]# ls -dZ /home
drwxr-xr-x root root system_ubject_r:home_root_t /home
[root@voicetone2 selinux.local]# ls -Z /home
drwxrwxrwx attvoicetone attvoicetone user_ubject_r:user_home_dir_t

client message:

ftp> user
(username) ftpuser
331 Anonymous login ok, send your complete email address as your
530-Unable to set anonymous privileges.
530 Login incorrect.
Login failed.

The entries in /var/log/messages are:

Oct 22 16:03:57 voicetone2 proftpd[11956]: voicetone2
(::ffff:[::ffff:]) - ftpuser: Directory
/home/attvoicetone/ is not accessible.

The proftpd.config file contents:

# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off

# Use this to excude users from the chroot
DefaultRoot ~ !adm

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# Default to show dot files in directory listings
ListOptions "-a"

# See Configuration.html for these (here are the default values)
#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20

# Set the user and group that the server normally runs at.
User nobody
Group nobody

# Disable sendfile by default since it breaks displaying the download
speeds in
# ftptop and ftpwho
UseSendfile no

# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score

# Normally, we want users to do a few things.

AllowOverwrite yes


SyslogLevel debug

# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
##TLSRenegotiate ctrl 3600 data 512000 required off
timeout 300
#TLSLog /var/log/proftpd/tls.log

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c

# A basic anonymous configuration, with an upload directory.

Trace ALL:9
TraceLog /var/log/proftpd/trace.log

# SETUP FOR ftpuser

User ftpuser
Group ftp
# We want clients to be able to login with "anonymous" as well as
# UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 5

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot
# DenyAll

DefaultChdir /home/attvoicetone/

Compiled-in modules:

Version Info:
- ProFTPD Version: 1.3.1 (stable)
- Scoreboard Version: 01040002
- Built: Sat Oct 6 21:20:37 CEST 2007
- Module: mod_core.c
- Module: mod_xfer.c
- Module: mod_auth_unix.c
- Module: mod_auth_file/0.8.3
- Module: mod_auth.c
- Module: mod_ls.c
- Module: mod_log.c
- Module: mod_site.c
- Module: mod_delay/0.6
- Module: mod_dso/0.4
- Module: mod_readme.c
- Module: mod_auth_pam/1.0.1
- Module: mod_tls/2.1.2
- Module: mod_cap/1.0
- Module: mod_ctrls/0.9.4

I am running CentOS release 5.2 (Final).

I have verified the user and group, I have validated the directory
exists and is currently set with 777 permissions.

Could someone please steer me in the right direction?


This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
ProFTPD Users List
Unsubscribe problems?