Bug 1495323

Summary: pure-ftpd is running without selinux protection even though the pure-ftpd-selinux package is installed
Product: [Fedora] Fedora EPEL Reporter: Vincent Gournay <tech>
Component: pure-ftpdAssignee: Greg Swift <gregswift>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: gregswift, jaromir.capik, mi, msehnout, tech
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-03 03:57:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Gournay 2017-09-25 19:52:03 UTC 
Description of problem:
pure-ftpd is running unconfined even though the pure-ftpd-selinux package is installed

Version-Release number of selected component (if applicable):
 pure-ftpd.x86_64                      1.0.42-3.el7                   @epel      
 pure-ftpd-selinux.x86_64              1.0.42-3.el7                   @epel      


How reproducible:
always

Steps to Reproduce:
# yum install epel-release
# yum install pure-ftpd pure-ftpd-selinux
# systemctl start pure-ftpd
# ps -eZ |grep pure-ftpd
The last command will show that the process is running in system_u:system_r:unconfined_service_t:s0


Actual results:
pure-ftpd is running in the unconfined_service_t selinux domain

Expected results:
pure-ftpd should be running in the ftpd_t selinux domain


Additional info:
The problem seems to come from the fact that systemd executes the daemon through the /usr/sbin/pure-config.pl file. The label on this file is system_u:object_r:bin_t:s0. So the daemon does not transition into the ftpd_t domain.

Changing the context to ftpd_exec_t seems to fix the problem (That obviously won't survive a relabel, it's just to show the fix):
# chcon -t ftpd_exec_t /usr/sbin/pure-config.pl
# systemctl restart pure-ftpd
# ps -eZ |grep pure-ftpd
Will now show pure-ftpd correctly running in system_u:system_r:ftpd_t.
Comment 1 Greg Swift 2021-06-29 21:19:06 UTC 
I made changes that seems like they'd work, but couldn't verify because I couldnt find the pure-config.pl file.  I see where its referenced but i checked the latest sources and no file. there are changelog comments about a pure-config.py script, but i dont see that either.

i did find a reference to this problem in debian pakcaging a while back

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=171646

Any suggestions?
Comment 2 Vincent Gournay 2021-07-05 20:45:30 UTC 
Hi Greg,
I tested on fedora 33 and RHEL8 today (with pure-ftpd  1.0.49-6.fc33 and 1.0.49-4.el8) and the issue has been fixed, the daemon is correctly running in ftpd_t.
The pure-config.pl file seems to have been removed from the package.
The original post That was 4 years ago so i guess a lot has changed since then ;)

Vincent
Comment 3 Greg Swift 2021-08-03 03:57:13 UTC 
Okay.. will close then.. sorry about that. not sure how i never saw this.