Bug 220085
Summary: | LSPP - vsftpd denies local logins when system is enforcing mls policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Klaus Kiwi (Old account no longer used) <klaus> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | dwalsh, ebenes, iboverma, krisw, mbarabas, rvokal, sgrubb |
Target Milestone: | --- | Keywords: | OtherQA, Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-11-07 16:37:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 224041 |
Description
Klaus Kiwi (Old account no longer used)
2006-12-18 20:16:54 UTC
Fixed in selinux-policy-2.4.6-15 Confirmed fix against 1218 refresh - thanks for the quick response! -Klaus A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. Please reopen, I can't confirm that this is fixed. I get the following AVC message which seems to indicate that full read/write access is needed by vsftpd: type=AVC msg=audit(1171086936.240:433): avc: denied { read write } for pid=2220 comm="vsftpd" name="tallylog" dev=dm-2 ino=6146 context=system_u:system_r:ftpd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file The way I understand pam_tally2 to work is that it seeks to a file position based on the numerical UID and updates the failure information there in place. Unless I'm mistaken, vsftpd will need: auth_rw_faillog(ftpd_t) Fixed in selinux-policy-2.4.6-38 Testing still awaiting for .el5 package Should be on people now. Sorry about that. seems fixed, you can close the bug An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html |