Bug 163495

Summary: FTP-server cannot write in user's home directory
Product: [Fedora] Fedora Reporter: J.Jansen <joukj>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-19 15:20:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description J.Jansen 2005-07-18 12:05:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; OpenVMS Digital_Personal_WorkStation_; en-US; rv:1.7.8) Gecko/20050526

Description of problem:
FTP'ing to a freshly installed FC4 system fails when trying to write in the home directory of the user (writing in a sub-directory is possible).

I do see the problem only on new FC4 installations. Upgrades from FC3 seem to work fine.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install FC4 from scratch
2.enable vsftpd
3.FTP to the machine and logon
4.FTP> put <anyfile>


Actual Results:  Error message : 553 Could not create file.

Expected Results:  File should be transfered

Additional info:

Comment 1 Radek Vokal 2005-07-19 06:11:51 UTC
Do you have selinux turned on? Check `getenforce` and also all vsfptd lines in
/var/log/messages and /var/log/audit/* 

Comment 2 J.Jansen 2005-07-19 11:41:09 UTC
Yes selinux is turned on (by default in FC4)

[root@fercelo audit]# /usr/sbin/getenforce

/var/log/messages : <no interesting lines>

/var/log/audit/* :

type=USER_AUTH msg=audit(1121772441.477:3830753): user pid=23695 uid=0 auid=500
msg='PAM authentication: user=joukj exe="/usr/sbin/vsftpd"
(hostname=, addr=, terminal=? result=Success)'
type=USER_ACCT msg=audit(1121772441.477:3830788): user pid=23695 uid=0 auid=500
msg='PAM accounting: user=joukj exe="/usr/sbin/vsftpd"
(hostname=, addr=, terminal=? result=Success)'
type=CRED_ACQ msg=audit(1121772441.477:3830804): user pid=23695 uid=0 auid=500
msg='PAM setcred: user=joukj exe="/usr/sbin/vsftpd" (hostname=,
addr=, terminal=? result=Success)'
type=AVC msg=audit(1121772441.479:3830892): avc:  denied  { search } for 
pid=23699 comm="vsftpd" name="joukj" dev=hda2 ino=5138209
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:file_t tclass=dir
type=SYSCALL msg=audit(1121772441.479:3830892): arch=40000003 syscall=12
success=no exit=-13 a0=418e6818 a1=1f4 a2=4001a524 a3=bff6cd44 items=1 pid=23699
auid=500 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1121772441.479:3830892):  cwd="/"
type=PATH msg=audit(1121772441.479:3830892): item=0 name="/home/joukj" flags=3 
inode=5138209 dev=03:02 mode=040755 ouid=500 ogid=500 rdev=00:00

Comment 3 Radek Vokal 2005-07-19 11:52:31 UTC
This is a policy issue. You can disable all ftp daemon protection in
system-config-securitylevel -> SELinux or the default targeted policy have to be

Comment 4 J.Jansen 2005-07-19 14:34:28 UTC
Strange that you have to disable all protection while the box "enable read/write
in users home directory" is already selected.

Anyway, it works now.

Comment 6 Daniel Walsh 2005-07-19 15:20:02 UTC
You need to turn on the ftp_home_dir boolean.

man ftpd_selinux 
       SELinux  ftp  daemon  policy  is  customizable  based  on  least access
       required.  So by default SElinux does not allow users to login and read
       their home directories.
       If  you  are setting up this machine as a ftpd server and wish to allow
       users  to  access  their  home  directorories,  you  need  to  set  the
       ftp_home_dir boolean.

       setsebool -P ftp_home_dir 1