From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2 Description of problem: # ls -lZd /var/ftp /var/ftp/* drwxr-xr-x root root system_u:object_r:ftpd_anon_t /var/ftp drwxr-xr-x root root system_u:object_r:ftpd_anon_t /var/ftp/FC3-PPC drwxrwxrwt root root system_u:object_r:ftpd_anon_t /var/ftp/incoming drwxr-xr-x root root system_u:object_r:ftpd_anon_t /var/ftp/RH8.0 # cat /etc/vsftpd/vsftpd.conf | grep -v '#' anonymous_enable=YES local_enable=NO write_enable=YES local_umask=022 anon_upload_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES ftpd_banner=go-nix.ca FTP: pam_service_name=vsftpd userlist_enable=YES listen=YES tcp_wrappers=YES When I try uploading a file anonymously into /incoming, it fails. /var/log/audit.log says: type=AVC msg=audit(1121660610.998:11719667): avc: denied { write } for pid=8749 comm="vsftpd" name="incoming" dev=hda1 ino=2256658 scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir type=SYSCALL msg=audit(1121660610.998:11719667): arch=40000003 syscall=5 success=no exit=-13 a0=89bcf98 a1=84c1 a2=1b6 a3=84c1 items=1 pid=8749 auid=4294967295 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 comm="vsftpd" exe="/usr/sbin/vsftpd" type=CWD msg=audit(1121660610.998:11719667): cwd="/incoming" type=PATH msg=audit(1121660610.998:11719667): item=0 name="xorg.log" flags=310 inode=2256658 dev=03:01 mode=041777 ouid=0 ogid=0 rdev=00:00 Strangely, after using audit2allow to establish the following rule allow ftpd_t ftpd_anon_t:dir write; and adding it to /etc/selinux/targeted/src/policy/domains/misc/local.te I ran make install from /etc/selinux/targeted/src/policy, and afterwards I still got the same error in audit.log. No, xorg.log is not already present in /var/ftp/incoming :o) So, how am I supposed to get anonymous uploading to work ? Version-Release number of selected component (if applicable): vsftpd-2.0.3-1 How reproducible: Always Steps to Reproduce: 1. Reproduce the above setup 2. Attempt to anonymously upload a file Actual Results: Failed to upload the file. Expected Results: The file should have been successfully uploaded. Additional info:
True, but audit2allow should resolve your issue. This works for me # cat /etc/selinux/targeted/src/policy/domains/misc/local.te allow ftpd_t ftpd_anon_t:dir write; allow ftpd_t ftpd_anon_t:dir add_name; allow ftpd_t ftpd_anon_t:file create; .. and `make load` in /etc/selinux/targeted/src/ Anyway, those rules should be added to targeted policy. Reassigning ..
The proper way to do this is to change the file context of the directory chcon -t ftpd_anon_rw_t incoming man ftpd_selinux ... If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. chcon -t ftpd_anon_rw_t /var/ftp/incoming