1392525 – SELinux prevents ftpdctl from unlinking its socket

Bug 1392525 - SELinux prevents ftpdctl from unlinking its socket

Summary: SELinux prevents ftpdctl from unlinking its socket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.9
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-07 16:46 UTC by Milos Malik
Modified:	2017-03-21 09:49 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-301.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1395156 (view as bug list)
Environment:
Last Closed:	2017-03-21 09:49:17 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0627	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-03-21 12:29:23 UTC

Description Milos Malik 2016-11-07 16:46:27 UTC

Description of problem:

Version-Release number of selected component (if applicable):
proftpd-1.3.3g-10.el6.x86_64
selinux-policy-3.7.19-299.el6.noarch
selinux-policy-doc-3.7.19-299.el6.noarch
selinux-policy-minimum-3.7.19-299.el6.noarch
selinux-policy-mls-3.7.19-299.el6.noarch
selinux-policy-targeted-3.7.19-299.el6.noarch

How reproducible:
* always

Steps to Reproduce:
0. get a RHEL-6.8 machine (targeted policy is active)
# service proftpd stop
Shutting down proftpd:                                     [  OK  ]
# ftpdctl -v
ftpdctl: contacting server using '/var/run/proftpd/proftpd.sock'
ftpdctl: error contacting server using '/var/run/proftpd/proftpd.sock': Permission denied
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent

Actual results:
----
type=PATH msg=audit(11/07/2016 17:08:36.490:743) : item=1 name=/tmp/ftp.cl263788 inode=248769 dev=fc:03 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:ftpdctl_tmp_t:s0 nametype=DELETE 
type=PATH msg=audit(11/07/2016 17:08:36.490:743) : item=0 name=/tmp/ inode=131075 dev=fc:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT 
type=CWD msg=audit(11/07/2016 17:08:36.490:743) :  cwd=/root 
type=SYSCALL msg=audit(11/07/2016 17:08:36.490:743) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7fffd6029152 a1=0x7fffd60290e0 a2=0x6f a3=0x7fffd6028e50 items=2 ppid=25833 pid=263788 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=19 comm=ftpdctl exe=/usr/bin/ftpdctl subj=unconfined_u:unconfined_r:ftpdctl_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/07/2016 17:08:36.490:743) : avc:  denied  { unlink } for  pid=263788 comm=ftpdctl name=ftp.cl263788 dev=vda3 ino=248769 scontext=unconfined_u:unconfined_r:ftpdctl_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ftpdctl_tmp_t:s0 tclass=sock_file 
----

Expected results:
* no SELinux denials

Comment 1 Milos Malik 2016-11-07 16:50:50 UTC

Caught in permissive mode:
----
type=PATH msg=audit(11/07/2016 17:48:47.556:907) : item=1 name=/tmp/ftp.cl280603 inode=248776 dev=fc:03 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:ftpdctl_tmp_t:s0 nametype=DELETE 
type=PATH msg=audit(11/07/2016 17:48:47.556:907) : item=0 name=/tmp/ inode=131075 dev=fc:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT 
type=CWD msg=audit(11/07/2016 17:48:47.556:907) :  cwd=/root 
type=SYSCALL msg=audit(11/07/2016 17:48:47.556:907) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7fff03d3a592 a1=0x7fff03d3a520 a2=0x6f a3=0x7fff03d3a290 items=2 ppid=262706 pid=280603 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=91 comm=ftpdctl exe=/usr/bin/ftpdctl subj=unconfined_u:unconfined_r:ftpdctl_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/07/2016 17:48:47.556:907) : avc:  denied  { unlink } for  pid=280603 comm=ftpdctl name=ftp.cl280603 dev=vda3 ino=248776 scontext=unconfined_u:unconfined_r:ftpdctl_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ftpdctl_tmp_t:s0 tclass=sock_file 
----

# ftpdctl -v
ftpdctl: contacting server using '/var/run/proftpd/proftpd.sock'
ftpdctl: error contacting server using '/var/run/proftpd/proftpd.sock': Connection refused
#

Comment 8 errata-xmlrpc 2017-03-21 09:49:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html

Note You need to log in before you can comment on or make changes to this bug.