ftpd and PAM
Paul Howarth
paul at city-fan.org
Tue Jun 26 11:14:31 UTC 2007
Paul Howarth wrote:
> The PAM config files for vsftpd and prpftpd look like this:
>
> #%PAM-1.0
> session optional pam_keyinit.so force revoke
> auth required pam_listfile.so item=user sense=deny
> file=/etc/vsftpd/ftpusers onerr=succeed
> auth required pam_shells.so
> auth include system-auth
> account include system-auth
> session include system-auth
> session required pam_loginuid.so
>
> So it makes sense for ftpd_t to be able to set the login uid and create
> a session keyring:
>
> logging_set_loginuid(ftpd_t)
> allow ftpd_t self:key { write search link };
>
>
> Curiously, I've done this locally but still get this AVC when logging in
> on proftpd, with an open dovecot IMAP session on the same server:
>
> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for
> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0
> tcontext=root:system_r:dovecot_t:s0 tclass=key
FWIW, I'm also getting in /var/log/secure:
Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed:
Operation not permitted
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org
(::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session
closed for user paul
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org
(::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System
error
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org
(::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
I don't see any AVCs to go with these, and adding:
logging_send_audit_msg(ftpd_t)
doesn't seem to help.
Paul.
More information about the fedora-selinux-list
mailing list