What this post is really about: http://linux.web.cern.ch/linux/scientific6/docs/rhel/Managing_Confined_Services/
Found this gem of a guide when it comes to managing SELinux. This page is a mile-n-a-half long, but a great read when you’ve got nothing to do but research linux security policies. I stumbled across it when searching for the section #sect-Managing_Confined_Services-The_Apache_HTTP_Server-The_Apache_HTTP_Server_and_SELinux (i think the docs are taking SEO to a whole new, overkill, level – or perhaps its just scripts “do what it do”). This doc has an awesome intro to custom selinux policy generation.
What this post ended up being about (the title is completely misleading):
I was configuring a utility server with a “utilwww” user (needed to test some geoip scripts, using maxmind db api, on a boat load of IP addresses). For easier access i wanted to grant FTP access using vsftpd – crap, in retrospect I could have just used SCP, oh well – but was having some problems with selinux blocking the reads on the dir. This was expected since the type wasn’t set to httpd_sys_content_t (the VM is running centos 5.7 btw).
Another problem was that by default the home dir’s mode was 700. Not sure why useradd does this and not 744 (or it might have been 744, don’t recall exactly). After scratching my head a bit more wondering why the sucker wasn’t working, i realized that apache (httpd) needs execute perms as well, so a little chmod 755 utilwww did the trick.
In summary (might be missing a few steps here, but this is at least the high level):
#as root or sudo, depending on how much of a purist you are...
useradd -g apache -m -b /home utilwww
chcon -R /home/utilwww --user user_u --type=httpd_sys_content_t
service httpd restart
nano /etc/vsftpd/vsftpd.conf #not gunna post the configs here, going to regret this later
nano /etc/sysconfig/iptables #open up port 21, save buffer, quit nano
chkconfig vsftpd on
service vsftpd start