<div class="gmail_quote">On 3 October 2010 21:49, Dominick Grift <span dir="ltr"><<a href="mailto:domg472@gmail.com">domg472@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On Sun, Oct 03, 2010 at 09:17:58PM +0100, Aaron Gray wrote:<br>
> On 3 October 2010 21:03, Dominick Grift <<a href="mailto:domg472@gmail.com">domg472@gmail.com</a>> wrote:<br>
><br>
> > On Sun, Oct 03, 2010 at 08:48:59PM +0100, Aaron Gray wrote:<br>
> > > Hi,<br>
> > ><br>
> > > I had a fresh F11 server install, but with out VSFTPD, then I installed<br>
> > > VSFTPD, but it is blocked by SELinux.<br>
> > ><br>
> > > I turn off enforcement and FTP runs fine.<br>
> > ><br>
> > > Is there some script or proceedure I can run to allow VSFTPD on F11 or do<br>
> > I<br>
> > > have to do a reinstall of Fedora ?<br>
> > ><br>
> > > Many thanks in advance,<br>
> ><br>
> > Can you enclose the AVC denials that you are seeying. With those you should<br>
> > be able to fix any issues. AVC denials are (usually) logged to<br>
> > /var/log/audit/audit.log and can easily be listed with ausearch command.<br>
> ><br>
> ><br>
> First initial syscall :-<br>
><br>
> time->Sun Oct 3 21:12:24 2010<br>
> type=SYSCALL msg=audit(1286136744.107:21351): arch=40000003 syscall=120<br>
> success=no exit=-1 a0=28000011 a1=0 a2=6f4334 a3=6f4334 items=0 ppid=1<br>
> pid=1903 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0<br>
> tty=(none) ses=5 comm="vsftpd" exe="/usr/sbin/vsftpd"<br>
> subj=unconfined_u:system_r:ftpd_t:s0 key=(null)<br>
> type=AVC msg=audit(1286136744.107:21351): avc: denied { sys_admin } for<br>
> pid=1903 comm="vsftpd" capability=21<br>
> scontext=unconfined_u:system_r:ftpd_t:s0<br>
> tcontext=unconfined_u:system_r:ftpd_t:s0 tclass=capability<br>
<br>
</div></div>The above access vector (ftpd_t self:capability sys_admin;) should be allowed indeed.<br>
<br>
You can do this by piping the AVC denial line into the imput stream of the audit2allow command with the -M option and module name parameter:<br>
<br>
echo "avc: denied { sys_admin } for pid=1903 comm="vsftpd" capability=21 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:system_r:ftpd_t:s0 tclass=capability" | audit2allow -M myftpd<br>
<br>
Then you can install the generated custom module with the semodule command with the -i option and the module parameter:<br>
<br>
semodule -i myftpd.pp<br>
<br>
Not the i prefix the module name with "my". This is done that this module will not overwrite the existing ftpd module.<br>
<br>
Any more AVC denials shown?<br>
<div><div></div><div class="h5"><br></div></div></blockquote><div>Wow, thanks, I will try this when I get the time and the right head on. Get back to you later.</div><div><br></div><div>Thanks,</div><div><br></div><div>Aaron</div>
<div> </div></div>