Re: Selinux an vsftp
Tomas Larsson wrote:
>-----Original Message-----
>From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>Sent: Wednesday, September 21, 2005 2:34 PM
>To: Tomas Larsson
>Cc: fedora-selinux-list(a)redhat.com
>Subject: Re: Selinux an vsftp
>
>
>Tomas Larsson wrote:
>
>
>
>>I am getting 500 OOPS: failed to open xferlog log
>>file:/var/log/vsftpd.log, so I'm gessing that its something wrong in
>>the selinux-setup
>>
>>Ls -Z looks lime this
>>-rw-r--r-- root root system_u:object_r:var_log_t
>>
>>
> vsftpd.log
>
>
>>And in audit log
>>
>>type=AVC msg=audit(1127260722.483:14084097): avc: denied {
>>
>>
>append }
>
>
>>for pid=622 comm="vsftpd" name="vsftpd.log" dev=dm-0
ino=1143798
>>scontext=system_u:system_r:ftpd_t
>>
>>
>tcontext=system_u:object_r:var_log_t
>
>
>>tclass=file
>>
>>I'm guessing that I've got something wrong, but cant find what to do
>>
>>With best regards
>>
>>Tomas Larsson
>>Sweden
>>
>>Verus Amicus Est Tamquam Alter Idem
>>
>>
>>--
>>fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>>
>Looks like a bug in file context.
>
>chcon -t xferlog_t /var/log/vsftpd.log
>should fix it.
>
>I will update policy
>
>--
>
>
I've got that one sorted, deleted the logfile and restarted vsftpd.
Now got other problems:
Need anonymous ftp, configured ftpd correct (I think).
Created a user "ftpuser" for anoymous ftp in /var
ls -Z looks like this:
drwxrwsrwx ftpuser ftpuser system_u:object_r:ftpd_anon_t ftp
In ftp I have
drwxrwsrwx ftpuser ftpuser system_u:object_r:ftpd_anon_t pub
If you are trying to write to the directory you need ftpd_anon_rw_t and
boolean allow_ftpd_anon_write=1
And get 553 errors,
TYPE I
200 Switching to Binary mode.
PORT 192,168,0,2,6,45
200 PORT command successful. Consider using PASV.
STOR 465_v6.pdf
553 Could not create file.
Transfer request completed with status: Failed, 1 SubItem(s) failed
The audit log look like this
type=AVC msg=audit(1127307868.846:713105): avc: denied { write } for
pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t
tclass=dir
type=SYSCALL msg=audit(1127307868.846:713105): arch=40000003 syscall=5
success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357
auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500
fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1127307868.846:713105): cwd="/"
type=PATH msg=audit(1127307868.846:713105): item=0 name="465_v6.pdf"
flags=310 inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00
type=AVC msg=audit(1127307868.880:713157): avc: denied { getattr } for
pid=9357 comm="vsftpd" name="pub" dev=dm-0 ino=1143638
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_rw_t
tclass=dir
type=SYSCALL msg=audit(1127307868.880:713157): arch=40000003 syscall=196
success=no exit=-13 a0=96b0aa0 a1=96b0ab0 a2=66cff4 a3=cc1eec items=1
pid=9357 auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500
sgid=500 fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=AVC_PATH msg=audit(1127307868.880:713157): path="/pub"
type=CWD msg=audit(1127307868.880:713157): cwd="/"
type=PATH msg=audit(1127307868.880:713157): item=0 name="pub" flags=0
inode=1143638 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00
type=AVC msg=audit(1127308017.113:730070): avc: denied { write } for
pid=9357 comm="vsftpd" name="ftp" dev=dm-0 ino=1143637
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t
tclass=dir
type=SYSCALL msg=audit(1127308017.113:730070): arch=40000003 syscall=5
success=no exit=-13 a0=96b08c0 a1=84c1 a2=1b6 a3=84c1 items=1 pid=9357
auid=0 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500
fsgid=500 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1127308017.113:730070): cwd="/"
type=PATH msg=audit(1127308017.113:730070): item=0 name="465_v6.pdf"
flags=310 inode=1143637 dev=fd:00 mode=042777 ouid=501 ogid=500 rdev=00:00
With best regards
Tomas Larsson
Sweden
Verus Amicus Est Tamquam Alter Idem
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--