Bug 498375

Summary: Selinux prevents access to /var/run/proftpd.score
Product: [Fedora] Fedora EPEL Reporter: Christian Nolte <ch.nolte>
Component: proftpdAssignee: Paul Howarth <paul>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: mastahnke, matthias, paul
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: ActualBug
Fixed In Version: 1.3.2a-5.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-22 22:25:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Nolte 2009-04-30 07:44:30 UTC 
This is much rather a selinux problem, but I don't know how the policy for EPEL is to report these problems (should these be reported to RHEL5-selinux?), so I am reporting this here:

The default selinux context for proftd.score is:

system_u:object_r:var_run_t

It must be:

system_u:object_r:ftpd_var_run_t

# rpm -q selinux-policy
selinux-policy-2.4.6-203.el5
Comment 1 Paul Howarth 2009-05-12 06:44:51 UTC 
Try changing ScoreboardFile in your proftpd.conf to
/var/run/proftpd/proftpd.score
Comment 2 Christian Nolte 2009-05-12 09:15:23 UTC 
Yes this works, but a default installation of proftpd does use /var/proftpd/proftpd.scoreboard

If we want to get this to work out-of-the-box (TM) we should either

 - add "ScoreboardFile /var/run/proftpd/proftpd.score" to the default proftpd.conf

or

 - change the selinux context for the default proftpd.conf
Comment 3 Paul Howarth 2009-05-12 09:58:34 UTC 
Fixing the ScoreboardFile config item is the easiest fix since that's something that's already in the config file (pointing to /var/run/proftpd.score).

Fixing the SELinux context would also require a type transition rule adding to policy to ensure that if a new scoreboard file got created, it would have the correct context type.
Comment 4 Paul Howarth 2009-06-26 14:29:20 UTC 
Easiest fix is actually just to remove the ScoreboardFile config item from proftpd.conf altogether; the default value of /var/run/proftpd/proftpd.scoreboard is fine as far as SELinux is concerned.

I'll do this in the next release, which I'm working on now.
Comment 5 Fedora Update System 2009-08-03 15:44:55 UTC 
proftpd-1.3.2a-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-2.el5
Comment 6 Fedora Update System 2009-08-04 02:27:16 UTC 
proftpd-1.3.2a-2.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0175
Comment 7 Fedora Update System 2009-08-19 22:51:52 UTC 
proftpd-1.3.2a-3.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-3.el5
Comment 8 Fedora Update System 2009-08-20 15:00:23 UTC 
proftpd-1.3.2a-3.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0320
Comment 9 Fedora Update System 2009-09-02 11:05:41 UTC 
proftpd-1.3.2a-4.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-4.el5
Comment 10 Fedora Update System 2009-09-02 20:54:16 UTC 
proftpd-1.3.2a-4.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0382
Comment 11 Fedora Update System 2009-09-07 15:12:57 UTC 
proftpd-1.3.2a-5.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-5.el5
Comment 12 Fedora Update System 2009-09-08 22:58:46 UTC 
proftpd-1.3.2a-5.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0397
Comment 13 Fedora Update System 2009-09-22 22:25:17 UTC 
proftpd-1.3.2a-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.