vsftpd installation on CentOS 7 / RedHat 7 with selinux

May 9, 2015 Linux

vsftpd (Very Secure File Transfer Protocol Daemon) is lightweight, fast and default FTP server daemon for rpm-based Linux distributions (CentOS/RHEL/Fedora).

We will install vsftpd on CentOS7 with selinux enabled in Enforcing mode.

1. Install vsftpd server:

[root@tux ~]# yum install vsftpd

2. Verify, if ftp user account was created (with nologin shell) and set password for ftp user:

[root@tux /]# getent passwd ftp
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[root@tux /]# finger ftp
Login: ftp Name: FTP User
Directory: /var/ftp Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
[root@tux /]# passwd ftp
Changing password for user ftp.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

2. Edit file: /etc/vsftpd/vsftpd.conf and modify it to look like below:

# Example config file /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

3. Set /var/ftp (ftp user home directory) permissions and selinux attributes:

[root@tux ~]# chown -R ftp:ftp /var/ftp
[root@tux ~]# semanage fcontext -a -t public_content_rw_t /var/ftp
[root@tux ~]# restorecon -Rvv /var/ftp
[root@tux ~]# setsebool -P ftp_home_dir 1
[root@tux ~]# setsebool -P ftpd_full_access 1
[root@tux ~]# ls -lZ /var | grep ftp
drwxr-xr-x. ftp ftp system_u:object_r:public_content_rw_t:s0 ftp

4. Enable and start vsftpd service:

[root@tux ~]# systemctl enable vsftpd
[root@tux ~]# systemctl start vsftpd
[root@tux ~]# systemctl status vsftpd
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled)
Active: active (running) since Sat 2015-05-09 22:35:11 CEST; 11min ago
Main PID: 12285 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─12285 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

May 09 22:35:11 router systemd[1]: Started Vsftpd ftp daemon.
...

5. Test and troubleshooting.

Now let’s test our FTP server from localhost:

[root@tux /]# ftp localhost
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.2)
Name (localhost:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

If you still have problems with login, verify sealerts, if selinux isn’t still blocking access. Launch sealert browser and check alerts:

[root@tux /]# sealert -b

During tests you can also set selinux temporarily into Permissive mode to see, if vsftpd is now reachable and eventually exclude selinux issue:

[root@tux /]# setenforce Permissive
[root@tux /]# getenforce
Permissive
11 thoughts on “vsftpd installation on CentOS 7 / RedHat 7 with selinux”
  1. Looking for a solution for vsftpd I finally reached your page with the famous SELinux tool blocking everything for everyone everywhere.. But you saved my day!

  2. Hi,

    Great article, thank you for sharing. Just a heads up on Centos 7.7(1908)

    you need… sudo setsebool -P allow_ftpd_full_access 1

    Selinux is a pain in the A$$, but for anyone out there thinking of disabling it.. DON’T! go the extra mile and work it out. too many guides out there just ant you to switch it off!

    1. Thank you Grev for heads-up!
      It has been a while, since I wrote this article and looks like they added another setsebool parameter since then.
      And yes – I always try to keep SELinux enabled in Enforcing mode at all cost, it’s another defense point I have for free in Linux out of the box 🙂

  3. i have to say you give me a great help for the selinux , thank you so much! from a Chinese Linux beginner

  4. I’m trying to adapt this guide and use a new user instead of ftp. Why? Because for some reason I cannot change the password of the ftp user on my Fedora 35 Silverblue installation. See the discussion here:
    https://ask.fedoraproject.org/t/how-to-set-up-a-shared-folder-with-ftp-connection/20459/7

    I guess the SElinux commands are supposed to work only with the ftp user?
    When I try the login using a toolbox container, it doesn’t work (530 Login incorrect). When I try sending a scan file from the printer I see this error in the log:

    USER_AUTH pid=65483 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg=’op=PAM:authentication grantors=? acct=”scan” exe=”/usr/sbin/vsftpd” hostname=::ffff:10.0.20.160 addr=::ffff:10.0.20.160 terminal=ftp res=failed’

    This happens also in SElinux permissive mode.
    Any suggestion?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.