I get various AVCs related to cgroup usage with systemd when logging in to proftpd on F-15:
type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2 success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr } for pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7886): avc: denied { write } for pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1310388446.143:7886): avc: denied { create } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83 success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7887): avc: denied { write } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2 success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr } for pid=12071 comm="proftpd" path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr } for pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
/var/log/messages includes:
Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session opened. Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - Preparing to chroot to directory '/nis-home/phowarth' Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]: pam_systemd(proftpd:session): Failed to lock runtime directory: Permission denied Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]: pam_unix(proftpd:session): session closed for user phowarth Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session closed.
audit2allow -R suggests:
fs_manage_cgroup_dirs(ftpd_t) fs_manage_cgroup_files(ftpd_t) init_read_state(ftpd_t)
proftpd does appear to work despite these messages, so I'm wondering if it would be better to dontaudit these rather than allow them?
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/11/2011 08:55 AM, Paul Howarth wrote:
I get various AVCs related to cgroup usage with systemd when logging in to proftpd on F-15:
type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2 success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr } for pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7886): avc: denied { write } for pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1310388446.143:7886): avc: denied { create } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83 success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7887): avc: denied { write } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2 success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr } for pid=12071 comm="proftpd" path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr } for pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
/var/log/messages includes:
Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session opened. Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - Preparing to chroot to directory '/nis-home/phowarth' Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]: pam_systemd(proftpd:session): Failed to lock runtime directory: Permission denied Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]: pam_unix(proftpd:session): session closed for user phowarth Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session closed.
audit2allow -R suggests:
fs_manage_cgroup_dirs(ftpd_t) fs_manage_cgroup_files(ftpd_t) init_read_state(ftpd_t)
proftpd does appear to work despite these messages, so I'm wondering if it would be better to dontaudit these rather than allow them?
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like proftpd is setting up its own cgroup and SELinux is preventing this. Please open a bugzilla and we can discuss it with the proftpd guys.
On Mon, 11 Jul 2011 14:03:33 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/11/2011 08:55 AM, Paul Howarth wrote:
I get various AVCs related to cgroup usage with systemd when logging in to proftpd on F-15:
type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2 success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr } for pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7886): avc: denied { write } for pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1310388446.143:7886): avc: denied { create } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83 success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7887): avc: denied { write } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2 success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr } for pid=12071 comm="proftpd" path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr } for pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
/var/log/messages includes:
Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1])
- FTP session opened.
Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1])
- Preparing to chroot to directory '/nis-home/phowarth'
Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]: pam_systemd(proftpd:session): Failed to lock runtime directory: Permission denied Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]: pam_unix(proftpd:session): session closed for user phowarth Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session closed.
audit2allow -R suggests:
fs_manage_cgroup_dirs(ftpd_t) fs_manage_cgroup_files(ftpd_t) init_read_state(ftpd_t)
proftpd does appear to work despite these messages, so I'm wondering if it would be better to dontaudit these rather than allow them?
Paul.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like proftpd is setting up its own cgroup and SELinux is preventing this. Please open a bugzilla and we can discuss it with the proftpd guys.
OK (I am proftpd co-maintainer in Fedora by the way), will do, though I can't see anything relating to cgroups in the code.
Paul.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Paul Howarth