proftpd with systemd on F-15
Paul Howarth
paul at city-fan.org
Mon Jul 11 12:55:04 UTC 2011
I get various AVCs related to cgroup usage with systemd when logging in
to proftpd on F-15:
type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2
success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr } for
pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5
success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7886): avc: denied { write } for
pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name } for
pid=12071 comm="proftpd" name="785"
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc: denied { create } for
pid=12071 comm="proftpd" name="785"
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83
success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7887): avc: denied { write } for
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2
success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr } for
pid=12071 comm="proftpd"
path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup
ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5
success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr } for
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90
success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr } for
pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90
success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
/var/log/messages includes:
Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) -
FTP session opened.
Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) -
Preparing to chroot to directory '/nis-home/phowarth'
Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]:
pam_systemd(proftpd:session): Failed to lock runtime directory:
Permission denied
Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]:
pam_unix(proftpd:session): session closed for user phowarth
Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1
(10.9.2.1[10.9.2.1]) - FTP session closed.
audit2allow -R suggests:
fs_manage_cgroup_dirs(ftpd_t)
fs_manage_cgroup_files(ftpd_t)
init_read_state(ftpd_t)
proftpd does appear to work despite these messages, so I'm wondering if
it would be better to dontaudit these rather than allow them?
Paul.
More information about the selinux
mailing list