Bug 562796

Summary: SELinux is preventing /usr/sbin/proftpd "search" access to /var/www.
Product: [Fedora] Fedora Reporter: Geova Ramalho dos Santos <gevsantos>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:4dd8ba93772334d8c19a8f1e952603854e07409f8b10dc4d72158d2102d556aa
Fixed In Version: selinux-policy-3.6.32-89.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-20 00:22:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geova Ramalho dos Santos 2010-02-08 12:35:32 UTC 
Summary:

SELinux is preventing /usr/sbin/proftpd "search" access to /var/www.

Detailed Description:

SELinux denied access to /var/www requested by proftpd. /var/www has a context
used for sharing by a different program. If you would like to share /var/www
from proftpd also, you need to change its file context to public_content_t. If
you did not intend to allow this access, this could signal an intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -t public_content_t '/var/www'
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t public_content_t
'/var/www'"

Fix Command:

chcon -t public_content_t '/var/www'

Additional Information:

Source Context                system_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:httpd_sys_content_t:s0
Target Objects                /var/www [ dir ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           proftpd-1.3.2c-1.fc12
Target RPM Packages           httpd-2.2.14-1.fc12
Policy RPM                    selinux-policy-3.6.32-59.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   public_content
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.9-174.fc12.i686.PAE #1
                              SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
Alert Count                   22
First Seen                    Mon 01 Feb 2010 03:41:18 PM BRST
Last Seen                     Mon 01 Feb 2010 05:31:36 PM BRST
Local ID                      06298108-25e8-40a7-bf5a-d7421488fac4
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1265052696.368:37091): avc:  denied  { search } for  pid=15030 comm="proftpd" name="www" dev=dm-0 ino=40081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1265052696.368:37091): arch=40000003 syscall=195 success=no exit=-13 a0=a10d998 a1=bf9ecfa8 a2=3f6ff4 a3=0 items=0 ppid=14797 pid=15030 auid=48 uid=0 gid=489 euid=0 suid=0 fsuid=0 egid=0 sgid=489 fsgid=0 tty=(none) ses=13 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-59.fc12,public_content,vsftpd,ftpd_t,httpd_sys_content_t,dir,search
audit2allow suggests:

#============= ftpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_ftpd_full_access, allow_ftpd_full_access

allow ftpd_t httpd_sys_content_t:dir search;
Comment 1 Daniel Walsh 2010-02-08 20:52:39 UTC 
Were you using webmin to manage ftp server?  Any reason why the ftp server would want to look at apache content?
Comment 2 Daniel Walsh 2010-02-09 21:02:58 UTC 
Miroslav,

Please add

	# webmin seems to cause this.
	apache_search_sys_content(daemon)

To init.te/.
Comment 3 Miroslav Grepl 2010-02-10 12:11:06 UTC 
Fixed in selinux-policy-3.6.32-87.fc12
Comment 4 Fedora Update System 2010-02-11 22:01:55 UTC 
selinux-policy-3.6.32-89.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-89.fc12
Comment 5 Fedora Update System 2010-02-13 00:41:08 UTC 
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1836
Comment 6 Fedora Update System 2010-02-20 00:20:10 UTC 
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.