I was just about finishing a new CentOS 5.2 server with SELinux enabled. I then tried to transfer over some data when I was given the error “500 OOPS: cannot change directory:/home/userdir” in the FTP connection window.
First, I thought the cause was that I did not assign the user to the FTP group. Then I also made sure that the FTP group had permission to read/write to the users directory. Still, no go.
The next thing to check was that I enabled an exception in the firewall. To do that you can call “system-config-securitylevel-tui” which brings up a GUI within the shell. Here you can customize your rules. Still, FTP was allowed to go trough, so all was well, right?
Well, it turned out that SELinux with the setting “Enforcing” was the cause of it all. Now, I had the following two options;
- Use the “Permissive” setting (If you set SELinux to permissive you can login with FTP)
- Still use the “Enforcing” setting
I opted for option 2, since I really wanted to have SELinux enabled with “Enforcing”. Actually, all it took is to dig into the SELinux settings. To do so we have commands like “getsetbool” and “getsebool”.
With the command “/usr/sbin/getsetbool -a” you will get a list of all the boolean setting of SELinux (this is a long list!). Within this list there are some FTP settings which are of our interests here, like:
ftp_home_dir –> off
ftpd_disable_trans –> off
ftpd_is_daemon –> on
The particular one we are looking for is the “ftp_home_dir”. In your list this will probably set to “–> off”. To enable it, issue the following command:
usr/sbin/setsebool ftp_home_dir=1
As soon as you set this, your users should be able to FTP into their home directory and you should be on the safe side with SELinux still in the “Enforcing” mode.
