Description of problem: Jun 13 11:28:09 pc1-ftp.nhsrx.com systemd[1]: Starting ProFTPD FTP Server... -- Subject: Unit proftpd.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit proftpd.service has begun starting up. Jun 13 11:28:09 pc1-ftp.nhsrx.com audit[1926]: AVC avc: denied { open } for pid=1926 comm="proftpd" path="/var/log/proftpd.log" dev="sda3" ino=3802789 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 Jun 13 11:28:09 pc1-ftp.nhsrx.com proftpd[1926]: 2016-06-13 11:28:09,283 pc1-ftp.nhsrx.com proftpd[1926] 172.17.100.53: unable to open SystemLog '/var/log/proftpd.log': Permission denied Jun 13 11:28:09 pc1-ftp.nhsrx.com systemd[1]: proftpd.service: Control process exited, code=exited status=1 Jun 13 11:28:09 pc1-ftp.nhsrx.com systemd[1]: Failed to start ProFTPD FTP Server. -- Subject: Unit proftpd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit proftpd.service has failed. -- -- The result is failed. Jun 13 11:28:09 pc1-ftp.nhsrx.com systemd[1]: proftpd.service: Unit entered failed state. Version-Release number of selected component (if applicable): proftpd-1.3.5b-2.fc23.x86_64 selinux-policy-3.13.1-158.15.fc23.noarch How reproducible: Always Steps to Reproduce: 1. systemctl start proftpd 2. 3. Actual results: Proftpd does not start. Expected results: Proftpd starts. Additional info: restorecon -v /var/log/proftpd.log ls -Z /var/log/proftpd.log system_u:object_r:var_log_t:s0 /var/log/proftpd.log ls -l /var/log/proftpd.log -rw-r-----. 1 root root 177540350 Jun 13 09:52 /var/log/proftpd.log
Hi, Could you attach AVCs? (/var/log/audit/audit.log)
The AVC is provided in the original report. The only required access is {open}. Here is my custom module: module my-proftpd 1.0; require { type ftpd_t; type var_log_t; class file open; } allow ftpd_t var_log_t:file open;
selinux-policy-3.13.1-158.20.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4c9c2badcb
With the way you fixed this you will have to also include another log file with the xferlog_t label: /var/log/proftpd-xfer.log Then this issue is completely fixed.
selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7bed6e7c72
selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.