From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 10 Mar 2016 09:05:07 -0500
Subject: [refpolicy] Enable ftpd_connect_all_unreserved boolean by
	default
In-Reply-To: <56E170E2.4080302@redhat.com>
References: <56E170E2.4080302@redhat.com>
Message-ID: <56E17F13.5020907@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 3/10/2016 8:04 AM, Lukas Vrabec wrote:
> Hi all,
> 
> In current selinux-policy we have two booleans related to ftp 
> active/passive mode communication. Both of these booleans are turned off 
> by default.
> ftpd_use_passive_mode          (off  ,  off)
> ftpd_connect_all_unreserved    (off  ,  off)
> 
> In this situation, ftp daemon cannot start without changing one of this 
> booleans.
> 
> I suggest enabling "ftpd_connect_all_unreserved" boolean by default.
> 
> Your ideas?
> 
> 
> Thank you for discussion.

It sounds like there may be some port labeling problems.  The passive
mode Boolean allows TCP binding on all unreserved ports and the
connect_all allows TCP connecting to all unreserved ports.  (unreserved
ports means 1024-65535 that are not otherwise labeled)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com