Bug 163479 - Anonymous write acces failing
Summary: Anonymous write acces failing
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-18 04:32 UTC by Gabriel Schulhof
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-18 14:17:00 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gabriel Schulhof 2005-07-18 04:32:09 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
# ls -lZd /var/ftp /var/ftp/*
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/FC3-PPC
drwxrwxrwt  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/incoming
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/RH8.0

# cat /etc/vsftpd/vsftpd.conf | grep -v '#'
anonymous_enable=YES
local_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=go-nix.ca FTP:

pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

When I try uploading a file anonymously into /incoming, it fails. /var/log/audit.log says:
type=AVC msg=audit(1121660610.998:11719667): avc:  denied  { write } for  pid=8749 comm="vsftpd" name="incoming" dev=hda1 ino=2256658 scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir
type=SYSCALL msg=audit(1121660610.998:11719667): arch=40000003 syscall=5 success=no exit=-13 a0=89bcf98 a1=84c1 a2=1b6 a3=84c1 items=1 pid=8749 auid=4294967295 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1121660610.998:11719667):  cwd="/incoming"
type=PATH msg=audit(1121660610.998:11719667): item=0 name="xorg.log" flags=310  inode=2256658 dev=03:01 mode=041777 ouid=0 ogid=0 rdev=00:00

Strangely, after using audit2allow to establish the following rule
allow ftpd_t ftpd_anon_t:dir write;
and adding it to /etc/selinux/targeted/src/policy/domains/misc/local.te
I ran make install from /etc/selinux/targeted/src/policy, and afterwards I still got the same error in audit.log.

No, xorg.log is not already present in /var/ftp/incoming :o)

So, how am I supposed to get anonymous uploading to work ?

Version-Release number of selected component (if applicable):
vsftpd-2.0.3-1

How reproducible:
Always

Steps to Reproduce:
1. Reproduce the above setup
2. Attempt to anonymously upload a file
  

Actual Results:  Failed to upload the file.

Expected Results:  The file should have been successfully uploaded.

Additional info:
Comment 1 Radek Vokál 2005-07-18 09:20:09 UTC 
True, but audit2allow should resolve your issue. This works for me

# cat /etc/selinux/targeted/src/policy/domains/misc/local.te
allow ftpd_t ftpd_anon_t:dir write;
allow ftpd_t ftpd_anon_t:dir add_name;
allow ftpd_t ftpd_anon_t:file create;
.. and `make load` in /etc/selinux/targeted/src/ 

Anyway, those rules should be added to targeted policy. Reassigning ..
Comment 2 Daniel Walsh 2005-07-18 14:17:00 UTC 
The proper way to do this is to change the file context of the directory

chcon -t ftpd_anon_rw_t incoming

man ftpd_selinux
...
      If you want to setup a directory where you can upload files to you must
       label  the  files  and directories ftpd_anon_rw_t.  So if you created a
       special directory /var/ftp/incoming, you
              would need to label the directory with the chcon tool.

       chcon -t ftpd_anon_rw_t /var/ftp/incoming
Note You need to log in before you can comment on or make changes to this bug.