Bug 163479 - Anonymous write acces failing
Anonymous write acces failing
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-18 00:32 EDT by Gabriel Schulhof
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-18 10:17:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gabriel Schulhof 2005-07-18 00:32:09 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
# ls -lZd /var/ftp /var/ftp/*
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/FC3-PPC
drwxrwxrwt  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/incoming
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/RH8.0

# cat /etc/vsftpd/vsftpd.conf | grep -v '#'
anonymous_enable=YES
local_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=go-nix.ca FTP:

pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

When I try uploading a file anonymously into /incoming, it fails. /var/log/audit.log says:
type=AVC msg=audit(1121660610.998:11719667): avc:  denied  { write } for  pid=8749 comm="vsftpd" name="incoming" dev=hda1 ino=2256658 scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir
type=SYSCALL msg=audit(1121660610.998:11719667): arch=40000003 syscall=5 success=no exit=-13 a0=89bcf98 a1=84c1 a2=1b6 a3=84c1 items=1 pid=8749 auid=4294967295 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1121660610.998:11719667):  cwd="/incoming"
type=PATH msg=audit(1121660610.998:11719667): item=0 name="xorg.log" flags=310  inode=2256658 dev=03:01 mode=041777 ouid=0 ogid=0 rdev=00:00

Strangely, after using audit2allow to establish the following rule
allow ftpd_t ftpd_anon_t:dir write;
and adding it to /etc/selinux/targeted/src/policy/domains/misc/local.te
I ran make install from /etc/selinux/targeted/src/policy, and afterwards I still got the same error in audit.log.

No, xorg.log is not already present in /var/ftp/incoming :o)

So, how am I supposed to get anonymous uploading to work ?

Version-Release number of selected component (if applicable):
vsftpd-2.0.3-1

How reproducible:
Always

Steps to Reproduce:
1. Reproduce the above setup
2. Attempt to anonymously upload a file
  

Actual Results:  Failed to upload the file.

Expected Results:  The file should have been successfully uploaded.

Additional info:
Comment 1 Radek Vokal 2005-07-18 05:20:09 EDT
True, but audit2allow should resolve your issue. This works for me

# cat /etc/selinux/targeted/src/policy/domains/misc/local.te
allow ftpd_t ftpd_anon_t:dir write;
allow ftpd_t ftpd_anon_t:dir add_name;
allow ftpd_t ftpd_anon_t:file create;
.. and `make load` in /etc/selinux/targeted/src/ 

Anyway, those rules should be added to targeted policy. Reassigning .. 
Comment 2 Daniel Walsh 2005-07-18 10:17:00 EDT
The proper way to do this is to change the file context of the directory

chcon -t ftpd_anon_rw_t incoming

man ftpd_selinux
...
      If you want to setup a directory where you can upload files to you must
       label  the  files  and directories ftpd_anon_rw_t.  So if you created a
       special directory /var/ftp/incoming, you
              would need to label the directory with the chcon tool.

       chcon -t ftpd_anon_rw_t /var/ftp/incoming


Note You need to log in before you can comment on or make changes to this bug.