Allowing vsftpd access for user's home directory

Ketut Mahaindra kmahaindra at axalto.com
Thu May 11 06:32:59 UTC 2006 

 
Hello,

I tried your suggestion in conjunction with the FC5 SELinux FAQ:
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2958106

So, I did the following
# audit2allow -m local -l -i /var/log/audit/audit.log

Which give me something like:

module local 1.0;
require {
        class capability { dac_override dac_read_search };

        type ftpd_t;
};
allow ftpd_t self:capability { dac_override dac_read_search };

So, naturally I want it to be inside a file for compilation.
Then I did:

# audit2allow -m local -l -i /var/log/audit/audit.log > local.te
# checkmodule -M -m -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp

But, on that last step I get an error message "semodule:  Could not read
file 'local.pp':"
It's strange, because the file local.pp is created normally by the
semodule_package command.

Did I miss anything?

-- 
Best regards,
 
Ketut Mahaindra (Ito)
"The race for perfection has no finish line"
 

-----Original Message-----
From: Kayvan A. Sylvan [mailto:kayvan at sylvan.com] 
Sent: Thursday, May 11, 2006 1:29 PM
To: Ketut Mahaindra
Cc: fedora-selinux-list at redhat.com
Subject: Re: Allowing vsftpd access for user's home directory

On Thu, May 11, 2006 at 01:17:28PM +0800, Ketut Mahaindra wrote:
> Hello all,
> 
> I have installation of FC5.
> I want to make vsftpd run with chroot environment of user home directory.
> So far it does not work because SELinux prevents the vsftpd to access the
> home directory.
> 
> What's the best way to configure SELinux for this purpose?
> I don't want to disable it.
> I have been googling it around but so far has not came up with any easy
> solution.
> 
> Any help will be appreciated.
> 
> P.S.
> - I have the following AVC error messages:
>   avc:  denied  { dac_override } for  pid=9099 comm="vsftpd" capability=1
> scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> tclass=capability
>   avc:  denied  { dac_read_search } for  pid=9099 comm="vsftpd"
capability=2
> scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> tclass=capability  

You can use audit2allow and the local.te file to allow what you want.

See http://www.samag.com/documents/s=9820/sam0508a/0508a.htm

Best regards,

			---Kayvan
-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)

More information about the fedora-selinux-list mailing list