Bug 252585 - SELinux is not allowing vsftp to start when privelleged ports (other than 21 and port < 1024) is assigned to it
SELinux is not allowing vsftp to start when privelleged ports (other than 21 ...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: vsftpd (Show other bugs)
5.0
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Maros Barabas
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-16 02:16 EDT by manoj
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-29 06:49:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux trouble shoot log (2.51 KB, text/plain)
2007-08-16 02:16 EDT, manoj
no flags Details

  None (edit)
Description manoj 2007-08-16 02:16:00 EDT
Hi,

I'm using third party GUI to manage the different services on Rhel5(64 bit)system.
I have enabled SELinux policy(target 21) in enforcing mode and the file system
is properly labelled.When I try to start vsftpd after assigning the priveleged
port (other than 21,20 and within 1024 ports) I'm unable to start the vsftp.
However when i disable the SELinux policy I'm able to start it.

I just want to know if SELinux policy doesn't allow my GUI to assign lower
priveleged ports(< 1024) to Vsftp and if the answer is yes could you give me the
reasons or any link on the internet which gives me the sufficient answers.

Please note that there is no issues when port 21 or ports > 1024 is assigned to
vsftpd.

  
Actual results:


Expected results:


Additional info:
Attaching the SeLinux troubleshhot logs which I get when i try to start vsftpd.
Comment 1 manoj 2007-08-16 02:16:00 EDT
Created attachment 161499 [details]
SELinux trouble shoot log
Comment 2 manoj 2007-08-20 00:15:12 EDT
can i expect a quick response.
Comment 3 manoj 2007-08-23 05:09:59 EDT
Still waiting for your response.How many more days will u need to reply??
Comment 4 Maros Barabas 2007-08-23 08:46:43 EDT
As in SELinux trouble shoot log: 
*Sometimes labeling problems can cause SELinux denials.  You could try to
restore the default system file context for /etc/httpd/conf, restorecon -v
/etc/httpd/conf.*

Your file context: system_u:object_r:dhcpd_state_t
It should be: system_u:object_r:httpd_config_t

This problem is not in vsftpd, but in labeling problems with httpd. This could
be caused by your third party GUI.

---
But this problem shouldn't stop vsftpd to start. If you will find another
problem or error caused by vsftpd, please let me know by reopening this bug.

Thanks
Comment 5 manoj 2007-08-24 02:07:03 EDT
Hi,

I investigated further on this issue.This time I didn't installed the third
party GUI for managing the services.On a Plain Rhel5 Enterprise Linux system
with SELinux enabled in Enforcing mode I assigned port 200 to vsftpd
(/etc/vsftpd/vsftpd.conf ,listen_port=200)and tried to start vsftpd using
/etc/init.d/vsftpd start but it failed to start. When i changed the port to
unpriveleged port 1029 and then tried starting it using /etc/init.d/vsftpd start
it started .

I didn't got any setroubleshoot log though . But I'm sure this is caused by
SELinux. 
I request you to follow the method which I have given above to reproduce this
bug and reply me.

Thanks
Manoj.
Comment 8 manoj 2007-08-29 00:19:42 EDT
Hi,

Any updates about this bug.Still waiting for the response.Please go through my
comment no 5.

Thanks.
Comment 9 Maros Barabas 2007-08-29 06:49:22 EDT
Hi, add additional port 200 to selinux policy by:

semanage port -a -p tcp -t ftp_port_t 200

SeLinux deny changing ports for some services (to <1024) by default. This is not
a vsftpd bug.
Comment 10 manoj 2007-08-29 06:53:37 EDT
Thanks mbarabas.
Comment 11 Daniel Walsh 2007-08-31 06:19:59 EDT
Yes this is the correct thing to do.  You can customize selinux policy using
semanage.  (system-config-selinux)
Comment 12 Daniel Walsh 2007-08-31 06:21:07 EDT
BTW If you run setroubleshoot it should give you some of this information.
Comment 13 manoj 2007-08-31 06:35:41 EDT
I dont get any setroubleshoot alert for this :(
I have reverified this on multiple system.It would have been nice to get
Setroubleshoot alert for this case.

Thanks.

Note You need to log in before you can comment on or make changes to this bug.