Selinux an vsftp

Daniel J Walsh dwalsh at redhat.com
Wed Sep 21 14:06:15 UTC 2005


Tomas Larsson wrote:

>>-----Original Message-----
>>From: Daniel J Walsh [mailto:dwalsh at redhat.com] 
>>Sent: Wednesday, September 21, 2005 2:34 PM
>>To: Tomas Larsson
>>Cc: fedora-selinux-list at redhat.com
>>Subject: Re: Selinux an vsftp
>>
>>
>>Tomas Larsson wrote:
>>
>>    
>>
>>>I am getting 500 OOPS: failed to open xferlog log 
>>>file:/var/log/vsftpd.log, so I'm gessing that its something wrong in 
>>>the selinux-setup
>>>
>>>Ls -Z looks lime this
>>>-rw-r--r--  root     root     system_u:object_r:var_log_t    
>>>      
>>>
>>  vsftpd.log
>>    
>>
>>>And in audit log
>>>
>>>type=AVC msg=audit(1127260722.483:14084097): avc:  denied  { 
>>>      
>>>
>>append } 
>>    
>>
>>>for pid=622 comm="vsftpd" name="vsftpd.log" dev=dm-0 ino=1143798 
>>>scontext=system_u:system_r:ftpd_t 
>>>      
>>>
>>tcontext=system_u:object_r:var_log_t
>>    
>>
>>>tclass=file
>>>
>>>I'm guessing that I've got something wrong, but cant find what to do
>>>
>>>With best regards
>>>
>>>Tomas Larsson
>>>Sweden
>>>
>>>Verus Amicus Est Tamquam Alter Idem
>>>
>>>
>>>--
>>>fedora-selinux-list mailing list fedora-selinux-list at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> 
>>>
>>>      
>>>
>>Looks like a bug in file context.
>>
>>chcon -t xferlog_t /var/log/vsftpd.log
>>should fix it.
>>
>>I will update policy
>>
>>-- 
>>    
>>
>I've got that one sorted, deleted the logfile and restarted vsftpd.
>
>Now got other problems:
>
>Need anonymous ftp, configured ftpd correct (I think).
>Created a user "ftpuser" for anoymous ftp in /var
>ls -Z looks like this:
>
>drwxrwsrwx  ftpuser  ftpuser  system_u:object_r:ftpd_anon_t    ftp
>
>In ftp I have
>drwxrwsrwx  ftpuser  ftpuser  system_u:object_r:ftpd_anon_t    pub
>  
>
If you are trying to write to the directory you need ftpd_anon_rw_t and
boolean allow_ftpd_anon_write=1


>And get 553 errors, 
>
>TYPE I
>200 Switching to Binary mode.
>PORT 192,168,0,2,6,45
>200 PORT command successful. Consider using PASV.
>STOR 465_v6.pdf
>553 Could not create file.
>Transfer request completed with status: Failed, 1 SubItem(s) failed
>
>
>The audit log look like this
>type=AVC msg=audit(1127307868.846:713105): avc:  denied  { write } for
>pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637
>scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t
>tclass=dir
>type=SYSCALL msg=audit(1127307868.846:713105): arch=40000003 syscall=5
>success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357
>auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500
>fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd"
>type=CWD msg=audit(1127307868.846:713105):  cwd="/"
>type=PATH msg=audit(1127307868.846:713105): item=0 name="465_v6.pdf"
>flags=310  inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00
>type=AVC msg=audit(1127307868.880:713157): avc:  denied  { getattr } for
>pid=9357 comm="vsftpd" name="pub" dev=dm-0 ino=1143638
>scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_rw_t
>tclass=dir
>type=SYSCALL msg=audit(1127307868.880:713157): arch=40000003 syscall=196
>success=no exit=-13 a0=96b0aa0 a1=96b0ab0 a2=66cff4 a3=cc1eec items=1
>pid=9357 auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500
>sgid=500 fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd"
>type=AVC_PATH msg=audit(1127307868.880:713157):  path="/pub"
>type=CWD msg=audit(1127307868.880:713157):  cwd="/"
>type=PATH msg=audit(1127307868.880:713157): item=0 name="pub" flags=0
>inode=1143638 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00
>type=AVC msg=audit(1127308017.113:730070): avc:  denied  { write } for
>pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637
>scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t
>tclass=dir
>type=SYSCALL msg=audit(1127308017.113:730070): arch=40000003 syscall=5
>success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357
>auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500
>fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd"
>type=CWD msg=audit(1127308017.113:730070):  cwd="/"
>type=PATH msg=audit(1127308017.113:730070): item=0 name="465_v6.pdf"
>flags=310  inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00
>
>
>With best regards
>
>Tomas Larsson
>Sweden
>
>Verus Amicus Est Tamquam Alter Idem
> 
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


-- 





More information about the fedora-selinux-list mailing list