selinux-policy-targeted-1.25.3-9 in FC4 surely isnt perfect. Cant create dirs when I login over ftp:
type=CWD msg=audit(1123375603.524:11258814): cwd="/home/iocc" type=PATH msg=audit(1123375603.524:11258814): item=0 name="mp3" flags=10 inode=5046274 dev=03:01 mode=040755 ouid=636 ogid=636 rdev=00:00 type=AVC msg=audit(1123375603.539:11258878): avc: denied { getattr } for pid=10556 comm="vsftpd" name="/" dev=0:10 ino=49161 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:nfs_t tclass=dir type=SYSCALL msg=audit(1123375603.539:11258878): arch=40000003 syscall=196 success=no exit=-13 a0=9527930 a1=9523328 a2=3a3ff4 a3=797eec items=1 pid=10556 auid=636 uid=636 gid=636 euid=636 suid=636 fsuid=636 egid=636 sgid=636 fsgid=636 comm="vsftpd" exe="/usr/sbin/vsftpd"
Cant find what I should turn off in /etc/selinux/targeted/booleans to make it work. So I need a little help. Later, I want to upload files in that dir also.
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
On Mon, 22 Aug 2005 04:23:30 +0200, Peter Magnusson said:
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
Give specific examples, and why you think FTP should be able to see that dir? Most security people would consider this behavior in general a feature rather than a bug - but if there's a *specific* corner case that needs different treatment, we probably can fix it.
On Sun, 2005-08-21 at 23:10 -0400, Valdis.Kletnieks@vt.edu wrote:
On Mon, 22 Aug 2005 04:23:30 +0200, Peter Magnusson said:
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
Give specific examples, and why you think FTP should be able to see that dir? Most security people would consider this behavior in general a feature rather than a bug - but if there's a *specific* corner case that needs different treatment, we probably can fix it.
Ah...isn't that his home directory? Seems like a reasonable use of FTP...
Maybe he needs the ftp_home_dir boolean enabled, although that looks like the default.
Peter Magnusson wrote:
selinux-policy-targeted-1.25.3-9 in FC4 surely isnt perfect. Cant create dirs when I login over ftp:
type=CWD msg=audit(1123375603.524:11258814): cwd="/home/iocc" type=PATH msg=audit(1123375603.524:11258814): item=0 name="mp3" flags=10 inode=5046274 dev=03:01 mode=040755 ouid=636 ogid=636 rdev=00:00 type=AVC msg=audit(1123375603.539:11258878): avc: denied { getattr } for pid=10556 comm="vsftpd" name="/" dev=0:10 ino=49161 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:nfs_t tclass=dir type=SYSCALL msg=audit(1123375603.539:11258878): arch=40000003 syscall=196 success=no exit=-13 a0=9527930 a1=9523328 a2=3a3ff4 a3=797eec items=1 pid=10556 auid=636 uid=636 gid=636 euid=636 suid=636 fsuid=636 egid=636 sgid=636 fsgid=636 comm="vsftpd" exe="/usr/sbin/vsftpd"
Cant find what I should turn off in /etc/selinux/targeted/booleans to make it work. So I need a little help. Later, I want to upload files in that dir also.
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Is use_nfs_home_dirs boolean active? getsebool use_nfs_home_dirs use_nfs_home_dirs --> inactive
On Sun, 21 Aug 2005, Valdis.Kletnieks@vt.edu wrote:
On Mon, 22 Aug 2005 04:23:30 +0200, Peter Magnusson said:
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
Give specific examples, and why you think FTP should be able to see that
system dirs, like /bin in the root and a few dirs and files in my homedir.
dir? Most security people would consider this behavior in general a feature rather than a bug - but if there's a *specific* corner case that needs different treatment, we probably can fix it.
I expect to see the same files as when I login over ssh or sits in front of the computer. I dont see why vsftpd should be special in any way so I dont see some dirs or files.
On Tue, 23 Aug 2005, Daniel J Walsh wrote:
selinux-policy-targeted-1.25.3-9 in FC4 surely isnt perfect. Cant create dirs when I login over ftp:
<...>
Cant find what I should turn off in /etc/selinux/targeted/booleans to make it work. So I need a little help. Later, I want to upload files in that dir also. Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
Is use_nfs_home_dirs boolean active? getsebool use_nfs_home_dirs use_nfs_home_dirs --> inactive
I disabled selinux to make it work so I cant use getsebool but in /etc/selinux/targeted/booleans it says use_nfs_home_dirs=0 so I guess its inactive?
My homedir isnt shared over NFS but sometimes I mount NFS shares in some dirs in it.
On Sunday 28 August 2005 06:18pm, Peter Magnusson wrote:
On Sun, 21 Aug 2005, Valdis.Kletnieks@vt.edu wrote:
On Mon, 22 Aug 2005 04:23:30 +0200, Peter Magnusson said:
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
Give specific examples, and why you think FTP should be able to see that
system dirs, like /bin in the root and a few dirs and files in my homedir.
dir? Most security people would consider this behavior in general a feature rather than a bug - but if there's a *specific* corner case that needs different treatment, we probably can fix it.
I expect to see the same files as when I login over ssh or sits in front of the computer. I dont see why vsftpd should be special in any way so I dont see some dirs or files.
Perhaps, I'm just a little bit confused. Are you wanting your FTP server to provide access to the entire filesystem space? It seems like that is what you are asking for and that is not how FTP works.
FTP like HTTP serves up files only from a subset of the filesystem space. You wouldn't want your web server providing access to the entire filesystem, would you? The same is true of FTP.
Please, if I am misunderstanding what you are trying to accomplish here, feel free to explain it.
On Mon, 29 Aug 2005, Lamont R. Peterson wrote:
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
Give specific examples, and why you think FTP should be able to see that
system dirs, like /bin in the root and a few dirs and files in my homedir.
dir? Most security people would consider this behavior in general a feature rather than a bug - but if there's a *specific* corner case that needs different treatment, we probably can fix it.
I expect to see the same files as when I login over ssh or sits in front of the computer. I dont see why vsftpd should be special in any way so I dont see some dirs or files.
Perhaps, I'm just a little bit confused. Are you wanting your FTP server to provide access to the entire filesystem space? It seems like that is what you are asking for and that is not how FTP works.
Correct! My non-anonymous vsftpd server under FC3 works exactly like that. But selinux in FC4 have problems with that. The polcy is broken.
FTP like HTTP serves up files only from a subset of the filesystem space. You wouldn't want your web server providing access to the entire filesystem, would you? The same is true of FTP.
Please, if I am misunderstanding what you are trying to accomplish here, feel free to explain it.
Yes, you are. Im NOT talking about an anonymous ftp server. I login with my user and I expect to have the same files available as when I login over ssh or sits in front of the computer.
Peter Magnusson wrote:
On Mon, 29 Aug 2005, Lamont R. Peterson wrote:
Also, Im not so sure that I like that I cant see alot of dirs when Im logged in at the ftp.
Give specific examples, and why you think FTP should be able to see that
system dirs, like /bin in the root and a few dirs and files in my homedir.
dir? Most security people would consider this behavior in general a feature rather than a bug - but if there's a *specific* corner case that needs different treatment, we probably can fix it.
I expect to see the same files as when I login over ssh or sits in front of the computer. I dont see why vsftpd should be special in any way so I dont see some dirs or files.
Perhaps, I'm just a little bit confused. Are you wanting your FTP server to provide access to the entire filesystem space? It seems like that is what you are asking for and that is not how FTP works.
Correct! My non-anonymous vsftpd server under FC3 works exactly like that. But selinux in FC4 have problems with that. The polcy is broken.
Then you can turn off selinux protection on the ftpd server.
FTP like HTTP serves up files only from a subset of the filesystem space. You wouldn't want your web server providing access to the entire filesystem, would you? The same is true of FTP.
Please, if I am misunderstanding what you are trying to accomplish here, feel free to explain it.
Yes, you are. Im NOT talking about an anonymous ftp server. I login with my user and I expect to have the same files available as when I login over ssh or sits in front of the computer.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Peter Magnusson wrote:
On Wed, 7 Sep 2005, Daniel J Walsh wrote:
Correct! My non-anonymous vsftpd server under FC3 works exactly like that. But selinux in FC4 have problems with that. The polcy is broken.
Then you can turn off selinux protection on the ftpd server.
How?
setsebool -P ftpd_disable_trans=1
On Sunday 04 September 2005 07:26pm, Peter Magnusson wrote:
On Mon, 29 Aug 2005, Lamont R. Peterson wrote:
[SNIP]
Perhaps, I'm just a little bit confused. Are you wanting your FTP server to provide access to the entire filesystem space? It seems like that is what you are asking for and that is not how FTP works.
Correct! My non-anonymous vsftpd server under FC3 works exactly like that. But selinux in FC4 have problems with that. The polcy is broken.
FTP like HTTP serves up files only from a subset of the filesystem space. You wouldn't want your web server providing access to the entire filesystem, would you? The same is true of FTP.
Please, if I am misunderstanding what you are trying to accomplish here, feel free to explain it.
Yes, you are. Im NOT talking about an anonymous ftp server. I login with my user and I expect to have the same files available as when I login over ssh or sits in front of the computer.
Daniel has already replied and told you how to make the change you want. I will just say that the setup you describe here is VERY VERY insecure. Remember, FTP is not encrypted, so your username and password are going over the wire in clear text. Also, since the FTP daemon has access to the whole filesystem, anyone can get anything on your box (possibly even write any files they want, though that would depend on more configuration details than what you have told me about).
FTP is the wrong tool for this. You should use sftp (from SSH not SSL) or scp.
On Mon, 3 Oct 2005, Lamont R. Peterson wrote:
Yes, you are. Im NOT talking about an anonymous ftp server. I login with my user and I expect to have the same files available as when I login over ssh or sits in front of the computer.
Daniel has already replied and told you how to make the change you want. I will just say that the setup you describe here is VERY VERY insecure.
Yes. Just like it worked in FC3.
Remember, FTP is not encrypted, so your username and password are going over the wire in clear text. Also, since the FTP daemon has access to the whole filesystem, anyone can get anything on your box (possibly even write any files they want, though that would depend on more configuration details than what you have told me about).
I know, if I am at some untrusted location I ftp to a temp-ftp account that I change the password for each time. Or use scp.
FTP is the wrong tool for this. You should use sftp (from SSH not SSL) or scp.
Problems with scp: cant tab dirs, cant use -R like in ncftp to upload whole dirs.
scp -r works but thats not always how I want it.
selinux@lists.fedoraproject.org
-
Colin Walters -
Daniel J Walsh -
Lamont R. Peterson -
Peter Magnusson -
Valdis.Kletnieks@vt.edu