Bug 245077 - vsftpd does not work with SELinux anymore.
Summary: vsftpd does not work with SELinux anymore.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: vsftpd
Version: 7
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Maros Barabas
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-20 20:41 UTC by Eliran Itzhak
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-26 18:57:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Eliran Itzhak 2007-06-20 20:41:12 UTC
Description of problem:
Can't login to vsftpd when SELinux is set to Enforce.

Version-Release number of selected component (if applicable):
Linux main 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 i386
GNU/Linux

How reproducible:


Steps to Reproduce:
1. Enable selinux, try to login to ftp
2.
3.
  
Actual results:
no ftp username is accepted.

Expected results:


Additional info:
This is what I get in /var/log/messages
audit(1182370180.362:1092): avc:  denied  { execute } for  pid=20420
comm="vsftpd" name="unix_update" dev=cciss/c0d0p3 ino=4676768
scontext=root:system_r:ftpd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0
tclass=file

Comment 1 Maros Barabas 2007-06-21 07:06:46 UTC
Please send me output from: 

     # getsebool -a | grep ftp

and your configuration file (/etc/vsftpd/vsftpd.conf). 

Thanks

Comment 2 Michal Schmidt 2007-06-26 18:51:31 UTC
I could reproduce the problem with selinux-policy-targeted-2.6.4-14.fc7. I 
enabled "local_enable=YES" in vsftpd.conf, tried to login as a local user and 
got the same AVC denial. Apparently it is already fixed in CVS since 
selinux-policy version 2.6.4-18.fc7. I am now using 2.6.4-23.fc7 without this 
problem.

Comment 3 Eliran Itzhak 2007-06-26 18:57:30 UTC
The problem is solved with last night's yum update. Thanks.


Note You need to log in before you can comment on or make changes to this bug.