Bug 542119

Summary: SELinux is preventing vsftpd (ftpd_t) "getattr" to /media (mnt_t).
Product: [Fedora] Fedora Reporter: Alberto <dexapier>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:115da3f7d2c33d878755db36b62de6579a80315295b8eaa7e796493039ec5fa8
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-30 11:32:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alberto 2009-11-28 13:19:39 UTC 
Resúmen:

SELinux is preventing vsftpd (ftpd_t) "getattr" to /media (mnt_t).

Descripción Detallada:

[SELinux esta en modo permisivo. Este acceso no fue denegado.]

SELinux denied access requested by vsftpd. The current boolean settings do not
allow this access. If you have not setup vsftpd to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Permitiendo Acceso:

One of the following booleans is set incorrectly: allow_ftpd_full_access,
ftp_home_dir

Comando para Corregir:

Choose one of the following to allow access:
Allow ftp servers to login to local users and read/write all files on the
system, governed by DAC.
# setsebool -P allow_ftpd_full_access 1
Allow ftp to read and write files in the user home directories
# setsebool -P ftp_home_dir 1


Información Adicional:

Contexto Fuente               unconfined_u:system_r:ftpd_t:s0
Contexto Destino              system_u:object_r:mnt_t:s0
Objetos Destino               /media [ dir ]
Fuente                        vsftpd
Dirección de Fuente          /usr/sbin/vsftpd
Puerto                        <Desconocido>
Nombre de Equipo              (removed)
Paquetes RPM Fuentes          vsftpd-2.1.2-1.fc11
Paquetes RPM Destinos         filesystem-2.4.21-1.fc11
RPM de Políticas             selinux-policy-3.6.12-62.fc11
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Permissive
Nombre de Plugin              catchall_boolean
Nombre de Equipo              (removed)
Plataforma                    Linux (removed) 2.6.29.6-213.fc11.i586 #1 SMP
                              Tue Jul 7 20:45:17 EDT 2009 i686 i686
Cantidad de Alertas           1
Visto por Primera Vez         lun 27 jul 2009 01:16:57 CEST
Visto por Última Vez         lun 27 jul 2009 01:16:57 CEST
ID Local                      40818633-8059-46fc-81b2-9c3cdb2a28ea
Números de Línea            

Mensajes de Auditoría Crudos 

node=(removed) type=AVC msg=audit(1248650217.480:56): avc:  denied  { getattr } for  pid=4870 comm="vsftpd" path="/media" dev=sda5 ino=265 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1248650217.480:56): arch=40000003 syscall=196 success=yes exit=0 a0=164b5f0 a1=164b198 a2=3ebff4 a3=b89cb8 items=0 ppid=1 pid=4870 auid=500 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.12-62.fc11,catchall_boolean,vsftpd,ftpd_t,mnt_t,dir,getattr
audit2allow suggests:

#============= ftpd_t ==============
allow ftpd_t mnt_t:dir getattr;
Comment 1 Miroslav Grepl 2009-11-30 11:32:32 UTC 

*** This bug has been marked as a duplicate of bug 538428 ***