From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 10 Mar 2016 09:05:07 -0500 Subject: [refpolicy] Enable ftpd_connect_all_unreserved boolean by default In-Reply-To: <56E170E2.4080302@redhat.com> References: <56E170E2.4080302@redhat.com> Message-ID: <56E17F13.5020907@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 3/10/2016 8:04 AM, Lukas Vrabec wrote: > Hi all, > > In current selinux-policy we have two booleans related to ftp > active/passive mode communication. Both of these booleans are turned off > by default. > ftpd_use_passive_mode (off , off) > ftpd_connect_all_unreserved (off , off) > > In this situation, ftp daemon cannot start without changing one of this > booleans. > > I suggest enabling "ftpd_connect_all_unreserved" boolean by default. > > Your ideas? > > > Thank you for discussion. It sounds like there may be some port labeling problems. The passive mode Boolean allows TCP binding on all unreserved ports and the connect_all allows TCP connecting to all unreserved ports. (unreserved ports means 1024-65535 that are not otherwise labeled) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com