Bug 170202

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
FC4 on an AMD64 system, pretty much all settings are default. vsftpd and selinux certainly have default settings.
I am trying to accomplish the extremely trivial task of uploading files via FTP to my home directory, a task which works without problems on pretty much any other Linux/Unix system.
On FC4 it fails.

I search the Web for a solution (google for "selinux vsftpd upload"). I see many people having the same problem. I see all of them unsuccessfully trying to fix it, then disabling SELinux altogether. That, per se, is a red flag. Indeed, the most common advice that I've seen is "turn SELinux off, it's only causing problems." Yes, it's wrong advice, but it's very existence shows something.

Nevertheless, I must solve the problem without disabling SELinux.

The FTP-related booleans are:
# getsebool -a | grep ftp
allow_ftpd_anon_write --> inactive
ftp_home_dir --> active
ftpd_disable_trans --> inactive
ftpd_is_daemon --> active

vsftpd.conf was not changed, it's the default.

Using audit2allow and audit.log, after many iterations, I end up with the following additions to /etc/selinux/targeted/src/policy/domains/misc/local.te :

allow ftpd_t user_home_dir_t:dir write;
allow ftpd_t user_home_dir_t:dir add_name;
allow ftpd_t user_home_dir_t:file create;
allow ftpd_t bin_t:dir getattr;
allow ftpd_t boot_t:dir getattr;
allow ftpd_t home_root_t:dir read;
allow ftpd_t lost_found_t:dir getattr;
allow ftpd_t mnt_t:dir getattr;
allow ftpd_t sbin_t:dir getattr;
allow ftpd_t security_t:dir getattr;
allow ftpd_t tftpdir_t:dir getattr;
allow ftpd_t user_home_dir_t:file { append getattr };
allow ftpd_t user_home_dir_t:dir create;
allow ftpd_t user_home_dir_t:dir setattr;
allow ftpd_t user_home_dir_t:file setattr;
allow ftpd_t user_home_dir_t:dir remove_name;
allow ftpd_t user_home_dir_t:dir rmdir;

These allow me to upload and delete files and directories in my home dir using lftp and mc.

The problem is, why SELinux blocks these things if they're allowed in vsftpd.conf? Why there's no simple way to allow these fundamental operations to take place? This is very misleading and frustrating.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.3

How reproducible:
Always

Steps to Reproduce:
1.see above
2.
3.
  

Actual Results:  SELinux blocks trivial operations such as uploading/deleting files/directories in my home dir.
Moreover, there's no simple way to allow those operations, but instead I have to perform a significant amount of voodoo incantations.
Finally, there's a conflict between the SELinux defaults (blocks those things) and vsftpd.conf (allows those things) which is confusing and frustrating.

Expected Results:  SELinux should allow those operations to take place.
If it blocks them, then there should be a simple way to unblock them (turn something from 0 to 1).
Also, vsftpd.conf and SELinux must have consistent defaults.

Additional info:

When 90% of the users that have problems turn SELinux off in frustration, you know something's not right.