Bug 2218784 - selinux prevent vsftpd to access symlink
Summary: selinux prevent vsftpd to access symlink
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.8
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-30 06:53 UTC by masanari iida
Modified: 2023-07-11 10:42 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-06 06:17:29 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161266 0 None None None 2023-06-30 06:55:00 UTC
Red Hat Knowledge Base (Solution) 7023201 0 None None None 2023-07-05 04:54:37 UTC

Description masanari iida 2023-06-30 06:53:17 UTC
Description of problem:
vsftpd as FTP server.
SELinux is Enforcing mode.
User login to ftp server can not see symlink in user's directory.
SElinux preventing vsftpd to access the symlink.

Version-Release number of selected component (if applicable):
vsftpd-3.0.3-32.el8.x86_64
selinux-policy-targeted-3.14.3-4.el8.x86_64
selinux-policy-3.14.3-4.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Install RHEL8, create a user "test01"
2.  In /home/test01 create a directory and its link
    $ mkdir testdir
    $ ln -s testdir testdir-link
3.  Enable vsftpd server 
    # systemctl start vsftpd
4.  make sure SELinux is enforcing mode.
    # getenforce
    enforcing

5.  login in to the ftp server and show directories.

# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.3)
Name (localhost:root): test01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,50,180).
150 Here comes the directory listing.
drwxrwxr-x    2 1004     1004            6 Jun 30 06:40 testdir


Actual results:
Only a directory is shown.

Expected results:
Both directory and symbolic link are shown.

ftp> ls
227 Entering Passive Mode (127,0,0,1,50,180).
150 Here comes the directory listing.
drwxrwxr-x    2 1004     1004            6 Jun 30 06:40 testdir
lrwxrwxrwx    1 1004     1004            7 Jun 30 06:40 testdir-link -> testdir


Additional info:
Following steps to allow vsftpd to access to symlink.

# grep vsftpd /var/log/audit/audit.log |audit2allow -M vsftpd_read_symlink
# semodule -i vsftpd_read_symlink
#
# semodule -l |grep vsftpd
vsftpd_read_symlink


Workaround:
Set SELinux permissive or disabled.

Additional information
type=AVC msg=audit(1688103130.947:286): avc: denied { getattr } for pid=2523 comm="vsftpd" path="/home/test01/testdir-link" dev="dm-0" ino=17978811 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=0

Comment 1 Milos Malik 2023-06-30 09:46:02 UTC
Currently, the access is allowed only if the ftpd_full_access boolean is enabled:

# sesearch -s ftpd_t -t user_home_t -c lnk_file -p read -A
allow ftpd_t non_security_file_type:lnk_file { append create getattr ioctl link lock read rename setattr unlink write }; [ ftpd_full_access ]:True
#

The following command enables the boolean:

# setsebool ftpd_full_access on

Comment 2 masanari iida 2023-06-30 12:22:00 UTC
Thanks for your advce.
I tested the command "setsebool ftpd_full_access on" and surely it fix my problem.

Would it possible to create a KB?
If you are not the right person to ask, I would discuss with Christian Horn 
(Red Hat TAM for HPE-Japan) on Monday. 

Regards,
Masanari Iida

Comment 3 Christian Horn 2023-07-05 04:54:37 UTC
Hello team,

(following the rhn-accounts of a few users, so got aware of this bz),
do you think https://access.redhat.com/solutions/7023201
reflects the issue properly?

Best regards,
Christian

Comment 4 Shane Seymour 2023-07-05 06:03:05 UTC
(In reply to Christian Horn from comment #3)
> do you think https://access.redhat.com/solutions/7023201
> reflects the issue properly?

I think it does.

Comment 5 masanari iida 2023-07-05 06:10:37 UTC
Would you mind to add the expected output in the KB?

ftp> ls
227 Entering Passive Mode (127,0,0,1,50,180).
150 Here comes the directory listing.
drwxrwxr-x    2 1004     1004            6 Jun 30 06:40 testdir
lrwxrwxrwx    1 1004     1004            7 Jun 30 06:40 testdir-link -> testdir

And list of booleans in RHEL manual page.
I could find one example on RHEL7 manual, but not on RHEL8.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-file_transfer_protocol-booleans

Comment 6 Christian Horn 2023-07-05 09:10:14 UTC
(In reply to masanari iida from comment #5)
> [..]
> And list of booleans in RHEL manual page.

Good input, modified.

> I could find one example on RHEL7 manual, but not on RHEL8.
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/selinux_users_and_administrators_guide/sect-managing_confined_services-
> file_transfer_protocol-booleans

Providing the search method like
  semanage boolean -l|grep ftp
is more generic, shows results then on the very minor release which is installed.
The product docs can just show the output for one release, which should be the latest minor release.

Comment 7 masanari iida 2023-07-06 04:58:08 UTC
I have confirmed following two are modified.
(1) Add an expected output.
(2) Add "semanage boolean -l|grep ftp" output.

Now the KB looks OK to me.
Thank you

Comment 8 Christian Horn 2023-07-06 06:17:29 UTC
Thank you for the review and input!

Comment 9 Christian Horn 2023-07-11 10:42:03 UTC
With input from the engineering colleagues, we extended the kbase:

- the setting is now persistent
- after installation of package selinux-policy-devel, the output is more verbose


Note You need to log in before you can comment on or make changes to this bug.