proftpd with systemd on F-15

Paul Howarth paul at city-fan.org
Mon Jul 11 12:55:04 UTC 2011 

I get various AVCs related to cgroup usage with systemd when logging in 
to proftpd on F-15:

type=AVC msg=audit(1310388446.140:7884): avc:  denied  { read } for 
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:init_t:s0 tclass=file

type=AVC msg=audit(1310388446.140:7884): avc:  denied  { open } for 
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2 
success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443 
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.142:7885): avc:  denied  { getattr } for 
pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5 
success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7886): avc:  denied  { write } for 
pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

type=AVC msg=audit(1310388446.143:7886): avc:  denied  { add_name } for 
  pid=12071 comm="proftpd" name="785" 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc:  denied  { create } for 
pid=12071 comm="proftpd" name="785" 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83 
success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7887): avc:  denied  { write } for 
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=AVC msg=audit(1310388446.143:7887): avc:  denied  { open } for 
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2 
success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443 
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7888): avc:  denied  { getattr } for 
pid=12071 comm="proftpd" 
path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup 
ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5 
success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.150:7889): avc:  denied  { setattr } for 
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90 
success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.150:7890): avc:  denied  { setattr } for 
pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90 
success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

/var/log/messages includes:

Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - 
FTP session opened.
Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - 
Preparing to chroot to directory '/nis-home/phowarth'
Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]: 
pam_systemd(proftpd:session): Failed to lock runtime directory: 
Permission denied
Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]: 
pam_unix(proftpd:session): session closed for user phowarth
Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1 
(10.9.2.1[10.9.2.1]) - FTP session closed.

audit2allow -R suggests:

fs_manage_cgroup_dirs(ftpd_t)
fs_manage_cgroup_files(ftpd_t)
init_read_state(ftpd_t)

proftpd does appear to work despite these messages, so I'm wondering if 
it would be better to dontaudit these rather than allow them?

Paul.

More information about the selinux mailing list