Bug 537428

Summary: SELinux is preventing /usr/sbin/vsftpd "net_raw" access.
Product: [Fedora] Fedora Reporter: James Laska <jlaska>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: bruno.matos, dougsland, dwalsh, eddie, eparis, gansalmon, gevsantos, hancockrwd, horner, ikke, itamar, james, jturner, kernel-maint, mark, martin.nad89, mgrepl, mike, mishu, prapulla.kumar, psplicha, vchelban, vdanielmo
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e251eb06beb61ceecfa0ba55aa7e515247ab2dddc09d5b120840485892fcbb44
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 563356 (view as bug list) Environment:
Last Closed: 2010-03-15 14:47:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 540560, 563356    

Description James Laska 2009-11-13 15:51:17 UTC 
Summary:

SELinux is preventing /usr/sbin/vsftpd "net_raw" access.

Detailed Description:

SELinux denied access requested by vsftpd. It is not expected that this access
is required by vsftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           vsftpd-2.2.0-5.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
Alert Count                   7
First Seen                    Fri 13 Nov 2009 10:44:31 AM EST
Last Seen                     Fri 13 Nov 2009 10:50:32 AM EST
Local ID                      b6fb037c-fdf8-424d-8f62-1fd31803ce8d
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258127432.231:30676): avc:  denied  { net_raw } for  pid=19392 comm="vsftpd" capability=13 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

node=(removed) type=SYSCALL msg=audit(1258127432.231:30676): arch=c000003e syscall=56 success=no exit=-1 a0=40000011 a1=0 a2=7f630eecf84e a3=0 items=0 ppid=0 pid=19392 auid=3633 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=25 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,vsftpd,ftpd_t,ftpd_t,capability,net_raw
audit2allow suggests:

#============= ftpd_t ==============
allow ftpd_t self:capability net_raw;
Comment 1 Eric Paris 2009-11-23 18:52:16 UTC 
*** Bug 540560 has been marked as a duplicate of this bug. ***
Comment 2 Eric Paris 2009-11-23 19:01:36 UTC 
Fixed in net-next-2.6 by 

13f18aa05f5abe135f47b6417537ae2b2fedc18c
3f378b684453f2a028eda463ce383370545d9cc9
c84b3268da3b85c9d8a9e504e1001a14ed829e94

This will land in Linus' tree in the 2.6.33 development window.
Comment 3 Daniel Walsh 2009-12-05 23:42:42 UTC 
*** Bug 542002 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2009-12-05 23:43:01 UTC 
*** Bug 532180 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2009-12-05 23:43:41 UTC 
*** Bug 544550 has been marked as a duplicate of this bug. ***
Comment 6 Robert Hancock 2010-01-07 01:43:52 UTC 
Is there any workaround currently? This seems to cause FTP clients' connections to get dropped when they try to enter passive mode.
Comment 7 Daniel Walsh 2010-01-07 13:28:08 UTC 
You can add these rules for now using

# grep ftp /var/log/audit/audit.log | audit2allow -M brokenftp
# semodule -i brokenftp.pp
Comment 8 Eric Paris 2010-02-09 23:21:35 UTC 
*** Bug 547339 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Grepl 2010-02-15 09:51:15 UTC 
*** Bug 565374 has been marked as a duplicate of this bug. ***
Comment 10 Eric Paris 2010-03-15 14:47:21 UTC 
should be fixed in 2.6.32
Comment 11 Michael Cronenworth 2010-05-10 16:11:59 UTC 
(In reply to comment #10)
> should be fixed in 2.6.32    

It's not fixed in .32.

$ uname -a
Linux balthasar 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
$ uptime
 11:10:51 up 11:58,  1 user,  load average: 0.04, 0.06, 0.02
# tail -n1 /var/log/messages
May 10 10:56:46 balthasar setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access . For complete SELinux messages. run sealert -l 62fd1d32-516a-4d86-99df-b835f0c4d34c
Comment 12 Eric Paris 2010-05-10 16:39:19 UTC 
Can you attach the raw audit messages from the denial?  (at the bottom of the sealert output it suggests?)   I'm trying to verify I thought it was in .32 and not .33.....
Comment 13 Eric Paris 2010-05-10 16:43:15 UTC 
So basically I just lied in comment #10.....

$ git tag -l "v2.6*" --contains c84b3268da3b85c9d8a9e504e1001a14ed829e94
v2.6.33
v2.6.33-rc1
v2.6.33-rc2
v2.6.33-rc3
v2.6.33-rc4
v2.6.33-rc5
v2.6.33-rc6
v2.6.33-rc7
v2.6.33-rc8
v2.6.34-rc1
v2.6.34-rc2
v2.6.34-rc3
v2.6.34-rc4
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7

I did not appear in mainline until 2.6.33-rc1.  The first real release was 2.6.33   :(    I'm sorry for lieing.  You can just carry the policy module Dan suggested in comment #7 until you get on .33.