Bug 1395156

Summary: SELinux prevents proftpd from unlinking its socket
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1392525 Environment:
Last Closed: 2017-10-12 12:17:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2016-11-15 09:58:43 UTC 
+++ This bug was initially created as a clone of Bug #1392525 +++

Description of problem:

Version-Release number of selected component (if applicable):
proftpd-1.3.5b-2.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
selinux-policy-mls-3.13.1-102.el7.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch

How reproducible:
* always

Steps to Reproduce:
0. get a RHEL-7.3 machine (targeted policy is active)
# service proftpd stop
Redirecting to /bin/systemctl stop  proftpd.service
# ftpdctl -v
ftpdctl: contacting server using '/run/proftpd/proftpd.sock'
ftpdctl: error contacting server using '/run/proftpd/proftpd.sock': Connection refused
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent

Actual results:
----
time->Tue Nov 15 04:53:05 2016
type=PATH msg=audit(1479203585.985:281): item=1 name="/tmp/ftp.cl05281" inode=16498 dev=fd:01 mode=0140700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE
type=PATH msg=audit(1479203585.985:281): item=0 name="/tmp/" inode=22 dev=fd:01 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT
type=CWD msg=audit(1479203585.985:281):  cwd="/"
type=SYSCALL msg=audit(1479203585.985:281): arch=c000003e syscall=87 success=no exit=-13 a0=7ffe6d2a60e2 a1=5 a2=0 a3=8 items=2 ppid=1 pid=5072 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=99 fsgid=0 tty=(none) ses=4294967295 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1479203585.985:281): avc:  denied  { unlink } for  pid=5072 comm="proftpd" name="ftp.cl05281" dev="dm-1" ino=16498 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file
----
Expected results:
* no SELinux denials
Comment 1 Lukas Vrabec 2016-11-16 09:15:25 UTC 
We need to figure out how ftp.cl05281 sock_file is created with user_tmp_t label.
Comment 4 Lukas Vrabec 2017-10-12 12:17:55 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 5 Lukas Vrabec 2017-10-12 12:21:06 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.