Description of problem: vsftpd as FTP server. SELinux is Enforcing mode. User login to ftp server can not see symlink in user's directory. SElinux preventing vsftpd to access the symlink. Version-Release number of selected component (if applicable): vsftpd-3.0.3-32.el8.x86_64 selinux-policy-targeted-3.14.3-4.el8.x86_64 selinux-policy-3.14.3-4.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Install RHEL8, create a user "test01" 2. In /home/test01 create a directory and its link $ mkdir testdir $ ln -s testdir testdir-link 3. Enable vsftpd server # systemctl start vsftpd 4. make sure SELinux is enforcing mode. # getenforce enforcing 5. login in to the ftp server and show directories. # ftp localhost Trying ::1... ftp: connect to address ::1Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). 220 (vsFTPd 3.0.3) Name (localhost:root): test01 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,50,180). 150 Here comes the directory listing. drwxrwxr-x 2 1004 1004 6 Jun 30 06:40 testdir Actual results: Only a directory is shown. Expected results: Both directory and symbolic link are shown. ftp> ls 227 Entering Passive Mode (127,0,0,1,50,180). 150 Here comes the directory listing. drwxrwxr-x 2 1004 1004 6 Jun 30 06:40 testdir lrwxrwxrwx 1 1004 1004 7 Jun 30 06:40 testdir-link -> testdir Additional info: Following steps to allow vsftpd to access to symlink. # grep vsftpd /var/log/audit/audit.log |audit2allow -M vsftpd_read_symlink # semodule -i vsftpd_read_symlink # # semodule -l |grep vsftpd vsftpd_read_symlink Workaround: Set SELinux permissive or disabled. Additional information type=AVC msg=audit(1688103130.947:286): avc: denied { getattr } for pid=2523 comm="vsftpd" path="/home/test01/testdir-link" dev="dm-0" ino=17978811 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=0
Currently, the access is allowed only if the ftpd_full_access boolean is enabled: # sesearch -s ftpd_t -t user_home_t -c lnk_file -p read -A allow ftpd_t non_security_file_type:lnk_file { append create getattr ioctl link lock read rename setattr unlink write }; [ ftpd_full_access ]:True # The following command enables the boolean: # setsebool ftpd_full_access on
Thanks for your advce. I tested the command "setsebool ftpd_full_access on" and surely it fix my problem. Would it possible to create a KB? If you are not the right person to ask, I would discuss with Christian Horn (Red Hat TAM for HPE-Japan) on Monday. Regards, Masanari Iida
Hello team, (following the rhn-accounts of a few users, so got aware of this bz), do you think https://access.redhat.com/solutions/7023201 reflects the issue properly? Best regards, Christian
(In reply to Christian Horn from comment #3) > do you think https://access.redhat.com/solutions/7023201 > reflects the issue properly? I think it does.
Would you mind to add the expected output in the KB? ftp> ls 227 Entering Passive Mode (127,0,0,1,50,180). 150 Here comes the directory listing. drwxrwxr-x 2 1004 1004 6 Jun 30 06:40 testdir lrwxrwxrwx 1 1004 1004 7 Jun 30 06:40 testdir-link -> testdir And list of booleans in RHEL manual page. I could find one example on RHEL7 manual, but not on RHEL8. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-file_transfer_protocol-booleans
(In reply to masanari iida from comment #5) > [..] > And list of booleans in RHEL manual page. Good input, modified. > I could find one example on RHEL7 manual, but not on RHEL8. > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ > html/selinux_users_and_administrators_guide/sect-managing_confined_services- > file_transfer_protocol-booleans Providing the search method like semanage boolean -l|grep ftp is more generic, shows results then on the very minor release which is installed. The product docs can just show the output for one release, which should be the latest minor release.
I have confirmed following two are modified. (1) Add an expected output. (2) Add "semanage boolean -l|grep ftp" output. Now the KB looks OK to me. Thank you
Thank you for the review and input!
With input from the engineering colleagues, we extended the kbase: - the setting is now persistent - after installation of package selinux-policy-devel, the output is more verbose