Description of problem: Setting selinux boolean ftp_home_dir to off allows login for users to their home directory with proftpd server. Version-Release number of selected component (if applicable): # rpm -qa | grep selinux libselinux-utils-2.1.13-15.fc19.i686 selinux-policy-devel-3.12.1-74.17.fc19.noarch libselinux-python-2.1.13-15.fc19.i686 selinux-policy-3.12.1-74.17.fc19.noarch libselinux-2.1.13-15.fc19.i686 selinux-policy-targeted-3.12.1-74.17.fc19.noarch # rpm -q proftpd proftpd-1.3.4d-5.fc19.i686 How reproducible: # getsebool ftp_home_dir ftp_home_dir --> off # ftp localhost Trying ::1... Connected to localhost (::1). 220 FTP Server ready. Name (localhost:root): test 331 Password required for test Password: 230 User test logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||2524|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 2 test test 4096 Feb 12 18:39 Arbeitsfläche drwxr-xr-x 3 test test 4096 Feb 12 18:13 Bilder drwxrwxr-x 5 test test 4096 Jan 20 12:26 Calibre-Bibliothek drwxr-xr-x 2 test test 4096 Feb 6 17:25 Dokumente drwxr-xr-x 2 test test 4096 Feb 9 20:13 Downloads drwxr-xr-x 2 test test 4096 Dec 30 2012 Musik drwxrwxr-x 7 test test 4096 Nov 1 13:49 NetBeansProjects drwxr-xr-x 2 test test 4096 Dec 30 2012 Videos drwxr-xr-x 2 test test 4096 Dec 30 2012 Vorlagen drwxrwxr-x 2 test test 4096 Jan 6 09:15 dumps drwxrwxr-x 3 test test 4096 Dec 31 2012 mnt drwxrwxr-x 2 test test 4096 Feb 10 20:39 muell drwx------ 2 test test 4096 Dec 30 12:35 smb4k -rw------- 1 test test 718740 Feb 16 18:18 unison.log drwxr-xr-x 2 test test 4096 Jan 22 16:26 Öffentlich 226 Transfer complete ftp> bye # Steps to Reproduce: 1. set ftp_home_dir to off, if it isn't off. 2. try to connect to home dir as user Actual results: User login to ftp server is possible. Expected results: No user login to ftp server possible.
Hi, Do you have turn on some other boolean related to ftp?
Hello, no other boolean related to ftp are set to on, none set to on: # getsebool -a | grep ftp ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_enable_homedirs --> off sftpd_full_access --> off sftpd_write_ssh_home --> off tftp_anon_write --> off tftp_home_dir --> off
I'm confused right now, I checked your report again and I think you want disable users to log into your ftp server? Because ftp_home_dir boolean is used to allow read/write files into homedirs.
Hello, yes you are right, the FTP Server should act only as anonymous. First: to prevent User FTP login, it can be managed in the configuration file of the proftpd server. I'll know this. BUT: to prevent User FTP login by SELinux boolean ftp_home_dir is an additional security feature. So I tested this - BTW: I am testing several features with every Fedora Distribution ;-) The behavior of SELinux boolean ftp_home_dir DIFFERS at old distribution F18 (F17, F16, ..) from distribution F19 as shown below. User FTP login is possible at F19, but was NOT possible at F18 and earlier with ftp_home_dir OFF! Cause the old Fedora 18 is at a partition at the host, I can show you the difference, so take a look: ***** ProFTP running with old Fedora 18 at host pegasus ***** [root@pegasus ~]# getsebool -a | grep ftp ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_enable_homedirs --> off sftpd_full_access --> off sftpd_write_ssh_home --> off tftp_anon_write --> off tftp_home_dir --> off * Try to connect the F18 server pegasus from client orion, login FAILED: [root@orion ~]# ftp pegasus Connected to pegasus (192.168.185.24). 220 FTP Server ready. Name (pegasus:root): test 331 Password required for test Password: 530 Login incorrect. Login failed. 421 Service not available, remote server has closed connection ftp> ls Not connected. ftp> bye * Now, setting SELinux boolean on at Fedora 18 Server: [root@pegasus ~]# setsebool ftp_home_dir on * Try to connect the F18 server from a client orion, login ok, but this I believe is normal: [root@orion ~]# ftp pegasus Connected to pegasus (192.168.185.24). 220 FTP Server ready. Name (pegasus:root): test 331 Password required for test Password: 230 User test logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Goodbye. ***** AND NOW ProFTP running with Fedora 19 at host pegasus. WATCH THE DIFFERENT BEHAVIOR! ***** [root@pegasus ~]# getsebool -a | grep ftp ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_enable_homedirs --> off sftpd_full_access --> off sftpd_write_ssh_home --> off tftp_anon_write --> off tftp_home_dir --> off * Try to connect the F19 server pegasus from client orion, login POSSIBLE (F18 WAS NOT!): [root@orion ~]# ftp pegasus Connected to pegasus (192.168.185.24). 220 FTP Server ready. Name (pegasus:root): test 331 Password required for test Password: 230 User test logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,185,24,237,115). 150 Opening ASCII mode data connection for file list drwxr-xr-x 2 test test 4096 Feb 12 18:39 Arbeitsfläche drwxr-xr-x 3 test test 4096 Feb 12 18:13 Bilder drwxrwxr-x 5 test test 4096 Mar 13 17:13 Calibre-Bibliothek drwxr-xr-x 2 test test 4096 Mar 14 17:35 Dokumente drwxr-xr-x 2 test test 4096 Mar 12 20:05 Downloads drwxr-xr-x 2 test test 4096 Dec 30 2012 Musik drwxrwxr-x 7 test test 4096 Nov 1 13:49 NetBeansProjects drwxr-xr-x 2 test test 4096 Dec 30 2012 Videos drwxr-xr-x 2 test test 4096 Dec 30 2012 Vorlagen drwxrwxr-x 2 test test 4096 Jan 6 09:15 dumps -rw-r--r-- 1 test test 11273585 Feb 17 10:06 kompozer-0.8b3.de.gcc4.2-i686.tar.gz drwxrwxr-x 3 test test 4096 Dec 31 2012 mnt drwxrwxr-x 2 test test 4096 Feb 10 20:39 muell drwx------ 2 test test 4096 Dec 30 12:35 smb4k -rw------- 1 test test 759306 Mar 11 18:36 unison.log drwxr-xr-x 2 test test 4096 Jan 22 16:26 Öffentlich 226 Transfer complete ftp> bye 221 Goodbye. * Setting SELinux boolean on at Fedora 19 Server pegasus: [root@pegasus ~]# setsebool ftp_home_dir on * Try to connect the F19 server from client orion, login ok, but this I believe is normal: [root@orion ~]# ftp pegasus Connected to pegasus (192.168.185.24). 220 FTP Server ready. Name (pegasus:root): test 331 Password required for test Password: 230 User test logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Goodbye. So WHY ftp_home_dir boolean DOESN'T PREVENT User FTP login anymore at Fedora 19?
commit 128c9a6716713e7bcebb2735a15f15da964770b0 Author: Lukas Vrabec <lvrabec> Date: Thu Mar 20 14:59:59 2014 +0100 Fixed ftp_home_dir boolean
selinux-policy-3.12.1-74.23.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.23.fc19
Package selinux-policy-3.12.1-74.23.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.23.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4216/selinux-policy-3.12.1-74.23.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.