Bug 926022

Summary: SELinux prevents vsftpd (ftpd_t) access to glusterfs-fuse mount ('fusefs_t') provided by Red Hat Storage (RHS) server
Product: Red Hat Enterprise Linux 6 Reporter: Rejy M Cyriac <rcyriac>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: dwalsh, lnovich, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-219.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1004656 (view as bug list) Environment:
Last Closed: 2013-11-21 10:21:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1004656    

Description Rejy M Cyriac 2013-03-23 10:07:47 UTC 
Description of problem:


If glusterfs-fuse mount is used for the ftp data directory, the vsftpd process is prevented from accessing the content by SELinux.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.7.19-195.el6_4.3.noarch
selinux-policy-3.7.19-195.el6_4.3.noarch

How reproducible:


Steps to Reproduce:
1.set up an Red Hat Storage (RHS) server to provide a glusterfs volume, with the data to be provided by the ftp server

2.mount the glusterfs volume on a RHEL 6 system, using glusterfs-fuse mount, under '/var/ftp/' and start vsftpd service

3. The data provided through the glusterfs volume is not accessible over ftp

---------------------------------------------------------------

[root@appserver01 ~]# df -TH /var/ftp/RHS/
Filesystem    Type     Size   Used  Avail Use% Mounted on
RHSvm01:/AppStore
    fuse.glusterfs     387G   813M   386G   1% /var/ftp/RHS

[root@appserver01 ~]# ls -dZ /var/ftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/

[root@appserver01 ~]# ls -dZ /var/ftp/RHS/
drwxr-xr-x. root root system_u:object_r:fusefs_t:s0    /var/ftp/RHS/

[root@appserver01 ~]# ls -dZ /var/ftp/RHS/text/
drwxr-xr-x. root root system_u:object_r:fusefs_t:s0    /var/ftp/RHS/text/

[root@appserver01 ~]# ls -dZ /var/ftp/RHS/text/README 
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /var/ftp/RHS/text/README

==============

type=AVC msg=audit(1363985072.884:45108): avc:  denied  { read } for  pid=5859 comm="vsftpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=SYSCALL msg=audit(1363985072.884:45108): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d28e0 a1=90800 a2=7f4e963d28c0 a3=2 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1363985078.364:45109): avc:  denied  { read } for  pid=5859 comm="vsftpd" name="text" dev=fuse ino=11094933297973025225 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=SYSCALL msg=audit(1363985078.364:45109): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d28e0 a1=90800 a2=7f4e963d28c0 a3=2 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1363985083.126:45110): avc:  denied  { read } for  pid=5859 comm="vsftpd" name="README" dev=fuse ino=11388689439636774762 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
type=SYSCALL msg=audit(1363985083.126:45110): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d2db0 a1=800 a2=7f4e963d2820 a3=11 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)


---------------------------------------------------------------

It is interesting to note that SELinux does not prevent ftpd from entering the directories on the glusterfs volume, but all other access is prevented.

Additional Points:

1) If the 'allow_ftpd_full_access' SELinux boolean is turned on, the access to the glusterfs data is allowed.

2) If the glusterfs volume is mounted over nfs, and the 'allow_ftpd_use_nfs' SELinux boolean is turned on, the access to the glusterfs data is allowed.

I believe that a new SELinux boolean 'allow_ftpd_use_fusefs', with the required allow rules, is desirable, to have this access allowed.
  
Actual results:

vsftpd (ftpd_t) cannot access content stored in a gluster volume, mounted using gluster-fuse (fusefs_t) mount method.

Expected results:

vsftpd (ftpd_t) should be able to access content stored in a gluster volume, mounted using gluster-fuse (fusefs_t) mount method.

Additional info:
Comment 1 Miroslav Grepl 2013-03-25 10:48:15 UTC 
I added fixes to Fedora. Will back port.
Comment 6 Miroslav Grepl 2013-08-06 10:52:34 UTC 
ftpd_use_fusefs boolean has been added.
Comment 9 Miroslav Grepl 2013-10-02 09:48:19 UTC 
Ok, ftpd_use_fusefs updated.
Comment 13 errata-xmlrpc 2013-11-21 10:21:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html