ftpd and PAM

Daniel J Walsh dwalsh at redhat.com
Tue Jun 26 11:27:19 UTC 2007 

Paul Howarth wrote:
> Paul Howarth wrote:
>> The PAM config files for vsftpd and prpftpd look like this:
>>
>> #%PAM-1.0
>> session    optional     pam_keyinit.so    force revoke
>> auth       required     pam_listfile.so item=user sense=deny 
>> file=/etc/vsftpd/ftpusers onerr=succeed
>> auth       required     pam_shells.so
>> auth       include      system-auth
>> account    include      system-auth
>> session    include      system-auth
>> session    required     pam_loginuid.so
>>
>> So it makes sense for ftpd_t to be able to set the login uid and 
>> create a session keyring:
>>
>> logging_set_loginuid(ftpd_t)
>> allow ftpd_t self:key { write search link };
>>
>>
>> Curiously, I've done this locally but still get this AVC when logging 
>> in on proftpd, with an open dovecot IMAP session on the same server:
>>
>> type=AVC msg=audit(1182853960.377:103383): avc:  denied  { link } for 
>> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 
>> tcontext=root:system_r:dovecot_t:s0 tclass=key
>
> FWIW, I'm also getting in /var/log/secure:
>
> Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() 
> failed: Operation not permitted
> Jun 26 12:09:42 goalkeeper proftpd[25559]: 
> goalkeeper.intra.city-fan.org 
> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
> Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session 
> closed for user paul
> Jun 26 12:09:42 goalkeeper proftpd[25559]: 
> goalkeeper.intra.city-fan.org 
> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): 
> System error
> Jun 26 12:09:42 goalkeeper proftpd[25559]: 
> goalkeeper.intra.city-fan.org 
> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
>
> I don't see any AVCs to go with these, and adding:
>
> logging_send_audit_msg(ftpd_t)
>
> doesn't seem to help.
>
> Paul.
>
This could be caused by proftp not running as root and not having the 
auth_write capability.  So a DAC error could be causing this problem.

type=AVC msg=audit(1182853960.377:103383): avc:  denied  { link } for 
pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 
tcontext=root:system_r:dovecot_t:s0 tclass=key

I have no idea what this even means.  :^) One of these days I need to 
investigate the kernel keyring.
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list