On Thu, 2006-05-11 at 10:57 +0200, Thomas Bleher wrote:
* Thomas Bleher <bleher(a)informatik.uni-muenchen.de> [2006-05-11
09:16]:
> * Ketut Mahaindra <kmahaindra(a)axalto.com> [2006-05-11 07:19]:
> > - I have the following AVC error messages:
> > avc: denied { dac_override } for pid=9099 comm="vsftpd"
capability=1
> > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > tclass=capability
> > avc: denied { dac_read_search } for pid=9099 comm="vsftpd"
capability=2
> > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > tclass=capability
>
> This means that vsftpd can't access some files or directories because it
> does not have DAC rights on it. Probably some home directory is mode
> 0700. Either you change the rights on the directory or you allow the
> capabilities as discussed in this thread.
BTW: Is there some way to get more information out of the kernel about
which file is being accessed? This would be really helpful in debugging
why an application needs dac_override.
If you have syscall auditing enabled, then a syscall audit record should
be emitted at syscall exit that includes the path data whenever an AVC
audit record was generated during the syscall processing.
--
Stephen Smalley
National Security Agency