Hello,
I tried your suggestion in conjunction with the FC5 SELinux FAQ:
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2958106
So, I did the following
# audit2allow -m local -l -i /var/log/audit/audit.log
Which give me something like:
module local 1.0;
require {
class capability { dac_override dac_read_search };
type ftpd_t;
};
allow ftpd_t self:capability { dac_override dac_read_search };
So, naturally I want it to be inside a file for compilation.
Then I did:
# audit2allow -m local -l -i /var/log/audit/audit.log > local.te
# checkmodule -M -m -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp
But, on that last step I get an error message "semodule: Could not read
file 'local.pp':"
It's strange, because the file local.pp is created normally by the
semodule_package command.
Did I miss anything?
--
Best regards,
Ketut Mahaindra (Ito)
"The race for perfection has no finish line"
-----Original Message-----
From: Kayvan A. Sylvan [mailto:kayvan@sylvan.com]
Sent: Thursday, May 11, 2006 1:29 PM
To: Ketut Mahaindra
Cc: fedora-selinux-list(a)redhat.com
Subject: Re: Allowing vsftpd access for user's home directory
On Thu, May 11, 2006 at 01:17:28PM +0800, Ketut Mahaindra wrote:
Hello all,
I have installation of FC5.
I want to make vsftpd run with chroot environment of user home directory.
So far it does not work because SELinux prevents the vsftpd to access the
home directory.
What's the best way to configure SELinux for this purpose?
I don't want to disable it.
I have been googling it around but so far has not came up with any easy
solution.
Any help will be appreciated.
P.S.
- I have the following AVC error messages:
avc: denied { dac_override } for pid=9099 comm="vsftpd" capability=1
scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
tclass=capability
avc: denied { dac_read_search } for pid=9099 comm="vsftpd"
capability=2
scontext=system_u:system_r:ftpd_t:s0
tcontext=system_u:system_r:ftpd_t:s0
tclass=capability
You can use audit2allow and the local.te file to allow what you want.
See
http://www.samag.com/documents/s=9820/sam0508a/0508a.htm
Best regards,
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)