sesearch -A -s ftpd_t -t etc_t -p read
On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred@madeira.eng.br> wrote:
> Hi guys,
>
> I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
>
> I've set boolean to allow users to connect to their home dir
>
> [root@seg_linux-2 /]# getsebool -a | grep ftp
> allow_ftpd_anon_write --> off
> allow_ftpd_full_access --> off
> allow_ftpd_use_cifs --> off
> allow_ftpd_use_nfs --> off
> ftp_home_dir --> on
> ftpd_connect_db --> off
> ftpd_use_fusefs --> off
> ftpd_use_passive_mode --> off
> httpd_enable_ftp_server --> off
> tftp_anon_write --> off
> tftp_use_cifs --> off
> tftp_use_nfs --> off
>
> My problem is that when a user connect to my server, he is able to change dir to /etc and get passwd file.
>
> The domain of passwd file is etc_t and domain for vsftpd process is ftp_t. Why users can download passwd file if subject and object belongs to different domains ?
will show you the allow rules that permit the read. There are quite a few. Can you chroot the users to their home directory?
joe
> --
>
> [root@seg_linux-2 /]# ls -Z /etc/passwd
> -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
>
> [root@seg_linux-2 /]# ps -eZ | grep vsftp
> unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
>
>
> Frederico Madeira
> fred@madeira.eng.br
> www.madeira.eng.br
> Cisco CCNA, LPIC-1, LPIC-2
>
> Registered GNU/Linux nš 206120
> GPG-Key-ID: 1024D/0F0A721D
> Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
>
> MSN: fttmadeira@hotmail.com
> GTalk:fmadeira@gmail.com
> SKYPE: fred_madeira
>
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux