Bug 155958

Summary: vsftpd cann't do anonymous upload
Product: [Fedora] Fedora Reporter: han pingtian <hanpingtian>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-26 12:39:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description han pingtian 2005-04-26 06:10:11 UTC 
Description of problem:
when do anonymous upload with vsftpd, always be failure. And the
/var/log/message contains this message:

kernel: audit(1114495188.214:0): avc:  denied  { write } for  pid=4661
exe=/usr/sbin/vsftpd name=pub dev=hda7 ino=587229
scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir
Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.12-4

How reproducible:
anonymous ftp with selinux-policy-targeted enabled

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2005-04-26 12:39:44 UTC 
You need to set the upload directory to ftpd_anon_rw_t.

chcon -t ftpd_anon_rw_t /var/ftp/ftp/upload

man ftpd_selinux describes this.
Comment 2 han pingtian 2005-04-27 02:03:43 UTC 
thanks a lot.

another question: when boot the mechine, it reports those informations:
.......
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1114592249.835:0): avc:  denied  { search } for  name=1 dev=proc ino=65538
scontext=system_
u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=dir
audit(1114592249.836:0): avc:  denied  { search } for  name=475 dev=proc
ino=31129602 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=dir
audit(1114592249.836:0): avc:  denied  { search } for  name=486 dev=proc
ino=31850498 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=dir
audit(1114592249.836:0): avc:  denied  { search } for  name=543 dev=proc
ino=35586050 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1114592249.836:0): avc:  denied  { search } for  name=546 dev=proc
ino=35782658 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1114592249.837:0): avc:  denied  { search } for  name=559 dev=proc
ino=36634626 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1114592249.837:0): avc:  denied  { search } for  name=564 dev=proc
ino=36962306 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1114592249.837:0): avc:  denied  { search } for  name=569 dev=proc
ino=37289986 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:hotplug_t tclass=dir
audit(1114592249.838:0): avc:  denied  { search } for  name=575 dev=proc
ino=37683202 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:hotplug_t tclass=dir
audit(1114592249.862:0): avc:  denied  { search } for  name=576 dev=proc
ino=37748738 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:hotplug_t tclass=dir
audit(1114592249.862:0): avc:  denied  { search } for  name=578 dev=proc
ino=37879810 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1114592249.862:0): avc:  denied  { search } for  name=595 dev=proc
ino=38993922 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:hotplug_t tclass=dir
audit(1114592249.862:0): avc:  denied  { search } for  name=639 dev=proc
ino=41877506 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=dir
audit(1114592249.862:0): avc:  denied  { search } for  name=647 dev=proc
ino=42401794 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1114592249.862:0): avc:  denied  { search } for  name=649 dev=proc
ino=42532866 scontext=sy
stem_u:system_r:kernel_t tcontext=system_u:system_r:hotplug_t tclass=dir

what's wrong?
Comment 3 Daniel Walsh 2005-04-27 12:02:46 UTC 
Your using Rawhide :^)

Update to latest policy and alot of these should be fixed.

Kernel_t needs to have unconfined privs.

Dan