Bug 1395156 - SELinux prevents proftpd from unlinking its socket
Summary: SELinux prevents proftpd from unlinking its socket
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-15 09:58 UTC by Milos Malik
Modified: 2017-10-12 12:21 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1392525
Environment:
Last Closed: 2017-10-12 12:17:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milos Malik 2016-11-15 09:58:43 UTC 
+++ This bug was initially created as a clone of Bug #1392525 +++

Description of problem:

Version-Release number of selected component (if applicable):
proftpd-1.3.5b-2.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
selinux-policy-mls-3.13.1-102.el7.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch

How reproducible:
* always

Steps to Reproduce:
0. get a RHEL-7.3 machine (targeted policy is active)
# service proftpd stop
Redirecting to /bin/systemctl stop  proftpd.service
# ftpdctl -v
ftpdctl: contacting server using '/run/proftpd/proftpd.sock'
ftpdctl: error contacting server using '/run/proftpd/proftpd.sock': Connection refused
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent

Actual results:
----
time->Tue Nov 15 04:53:05 2016
type=PATH msg=audit(1479203585.985:281): item=1 name="/tmp/ftp.cl05281" inode=16498 dev=fd:01 mode=0140700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE
type=PATH msg=audit(1479203585.985:281): item=0 name="/tmp/" inode=22 dev=fd:01 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT
type=CWD msg=audit(1479203585.985:281):  cwd="/"
type=SYSCALL msg=audit(1479203585.985:281): arch=c000003e syscall=87 success=no exit=-13 a0=7ffe6d2a60e2 a1=5 a2=0 a3=8 items=2 ppid=1 pid=5072 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=99 fsgid=0 tty=(none) ses=4294967295 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1479203585.985:281): avc:  denied  { unlink } for  pid=5072 comm="proftpd" name="ftp.cl05281" dev="dm-1" ino=16498 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file
----
Expected results:
* no SELinux denials
Comment 1 Lukas Vrabec 2016-11-16 09:15:25 UTC 
We need to figure out how ftp.cl05281 sock_file is created with user_tmp_t label.
Comment 4 Lukas Vrabec 2017-10-12 12:17:55 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 5 Lukas Vrabec 2017-10-12 12:21:06 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Note You need to log in before you can comment on or make changes to this bug.