proftpd AVC on Rawhide

Wed Dec 1 18:22:02 UTC 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2010 01:15 PM, Paul Howarth wrote:
> On Wed, 01 Dec 2010 16:45:21 +0000
> Paul Howarth <paul at city-fan.org> wrote:
> 
>> I've just been trying out proftpd on a Rawhide box with /var/run on 
>> tmpfs, and got this AVC:
>>
>> time->Wed Dec  1 16:33:16 2010
>> type=SYSCALL msg=audit(1291221196.017:128): arch=40000003 syscall=5 
>> success=no exit=-13 a0=1c3f6c a1=a0142 a2=180 a3=9665f78 items=0 
>> ppid=1213 pid=1336 auid=500 uid=0 gid=500 euid=500 suid=500 fsuid=500 
>> egid=500 sgid=500 fsgid=500 tty=(none) ses=8 comm="proftpd" 
>> exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
>> key=(null)
>> type=AVC msg=audit(1291221196.017:128): avc:  denied  { search } for 
>> pid=1336 comm="proftpd" name="user" dev=tmpfs ino=12173 
>> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
>>
>> It's trying to look in /var/run/user I think.
>>
>> I don't know why it was trying to do this (maybe related to 
>> pam_systemd?) but it didn't seem to stop it working.
> 
> Here's another related one, with related logging:
> 
> ==> /var/log/audit/audit.log <==  
> type=USER_AUTH msg=audit(1291222006.187:44): user pid=1173 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="paul" exe="/usr/sbin/proftpd" hostname=::ffff:10.9.2.1 addr=::ffff:10.9.2.1 terminal=/dev/ftpd1173 res=success'
> type=USER_ACCT msg=audit(1291222006.196:45): user pid=1173 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="paul" exe="/usr/sbin/proftpd" hostname=::ffff:10.9.2.1 addr=::ffff:10.9.2.1 terminal=/dev/ftpd1173 res=success'
> type=LOGIN msg=audit(1291222006.197:46): login pid=1173 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=2
> type=AVC msg=audit(1291222006.198:47): avc:  denied  { getattr } for  pid=1173 comm="proftpd" path="/var/run/user" dev=tmpfs ino=12078 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
> type=SYSCALL msg=audit(1291222006.198:47): arch=40000003 syscall=196 success=no exit=-13 a0=360d64 a1=bfbb36ac a2=60fff4 a3=3 items=0 ppid=1065 pid=1173 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> 
> ==> /var/log/secure <==  
> Dec  1 16:46:46 k9 proftpd: pam_systemd(proftpd:session): Failed to create runtime directory: Permission denied
> Dec  1 16:46:46 k9 proftpd: pam_unix(proftpd:session): session opened for user paul by (uid=0)
> 
> Paul.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Looks like we need to add

auth_manage_var_auth(ftpd_t)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz2kkoACgkQrlYvE4MpobP58gCeL0h4m4XcqQ+CmmcAbknbTRHI
agEAmweNSy2NfUtUKM2BZ+M/IzcqTT3O
=T4Z0
-----END PGP SIGNATURE-----