Red Hat Bugzilla – Bug 252585
SELinux is not allowing vsftp to start when privelleged ports (other than 21 and port < 1024) is assigned to it
Last modified: 2007-11-30 17:07:46 EST
Hi, I'm using third party GUI to manage the different services on Rhel5(64 bit)system. I have enabled SELinux policy(target 21) in enforcing mode and the file system is properly labelled.When I try to start vsftpd after assigning the priveleged port (other than 21,20 and within 1024 ports) I'm unable to start the vsftp. However when i disable the SELinux policy I'm able to start it. I just want to know if SELinux policy doesn't allow my GUI to assign lower priveleged ports(< 1024) to Vsftp and if the answer is yes could you give me the reasons or any link on the internet which gives me the sufficient answers. Please note that there is no issues when port 21 or ports > 1024 is assigned to vsftpd. Actual results: Expected results: Additional info: Attaching the SeLinux troubleshhot logs which I get when i try to start vsftpd.
Created attachment 161499 [details] SELinux trouble shoot log
can i expect a quick response.
Still waiting for your response.How many more days will u need to reply??
As in SELinux trouble shoot log: *Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /etc/httpd/conf, restorecon -v /etc/httpd/conf.* Your file context: system_u:object_r:dhcpd_state_t It should be: system_u:object_r:httpd_config_t This problem is not in vsftpd, but in labeling problems with httpd. This could be caused by your third party GUI. --- But this problem shouldn't stop vsftpd to start. If you will find another problem or error caused by vsftpd, please let me know by reopening this bug. Thanks
Hi, I investigated further on this issue.This time I didn't installed the third party GUI for managing the services.On a Plain Rhel5 Enterprise Linux system with SELinux enabled in Enforcing mode I assigned port 200 to vsftpd (/etc/vsftpd/vsftpd.conf ,listen_port=200)and tried to start vsftpd using /etc/init.d/vsftpd start but it failed to start. When i changed the port to unpriveleged port 1029 and then tried starting it using /etc/init.d/vsftpd start it started . I didn't got any setroubleshoot log though . But I'm sure this is caused by SELinux. I request you to follow the method which I have given above to reproduce this bug and reply me. Thanks Manoj.
Hi, Any updates about this bug.Still waiting for the response.Please go through my comment no 5. Thanks.
Hi, add additional port 200 to selinux policy by: semanage port -a -p tcp -t ftp_port_t 200 SeLinux deny changing ports for some services (to <1024) by default. This is not a vsftpd bug.
Thanks mbarabas.
Yes this is the correct thing to do. You can customize selinux policy using semanage. (system-config-selinux)
BTW If you run setroubleshoot it should give you some of this information.
I dont get any setroubleshoot alert for this :( I have reverified this on multiple system.It would have been nice to get Setroubleshoot alert for this case. Thanks.