Bug 252585 - SELinux is not allowing vsftp to start when privelleged ports (other than 21 and port < 1024) is assigned to it
Summary: SELinux is not allowing vsftp to start when privelleged ports (other than 21 ...
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: vsftpd   
(Show other bugs)
Version: 5.0
Hardware: x86_64 Linux
Target Milestone: ---
: ---
Assignee: Maros Barabas
QA Contact:
Keywords: Reopened
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-16 06:16 UTC by manoj
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-29 10:49:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
SELinux trouble shoot log (2.51 KB, text/plain)
2007-08-16 06:16 UTC, manoj
no flags Details

Description manoj 2007-08-16 06:16:00 UTC

I'm using third party GUI to manage the different services on Rhel5(64 bit)system.
I have enabled SELinux policy(target 21) in enforcing mode and the file system
is properly labelled.When I try to start vsftpd after assigning the priveleged
port (other than 21,20 and within 1024 ports) I'm unable to start the vsftp.
However when i disable the SELinux policy I'm able to start it.

I just want to know if SELinux policy doesn't allow my GUI to assign lower
priveleged ports(< 1024) to Vsftp and if the answer is yes could you give me the
reasons or any link on the internet which gives me the sufficient answers.

Please note that there is no issues when port 21 or ports > 1024 is assigned to

Actual results:

Expected results:

Additional info:
Attaching the SeLinux troubleshhot logs which I get when i try to start vsftpd.

Comment 1 manoj 2007-08-16 06:16:00 UTC
Created attachment 161499 [details]
SELinux trouble shoot log

Comment 2 manoj 2007-08-20 04:15:12 UTC
can i expect a quick response.

Comment 3 manoj 2007-08-23 09:09:59 UTC
Still waiting for your response.How many more days will u need to reply??

Comment 4 Maros Barabas 2007-08-23 12:46:43 UTC
As in SELinux trouble shoot log: 
*Sometimes labeling problems can cause SELinux denials.  You could try to
restore the default system file context for /etc/httpd/conf, restorecon -v

Your file context: system_u:object_r:dhcpd_state_t
It should be: system_u:object_r:httpd_config_t

This problem is not in vsftpd, but in labeling problems with httpd. This could
be caused by your third party GUI.

But this problem shouldn't stop vsftpd to start. If you will find another
problem or error caused by vsftpd, please let me know by reopening this bug.


Comment 5 manoj 2007-08-24 06:07:03 UTC

I investigated further on this issue.This time I didn't installed the third
party GUI for managing the services.On a Plain Rhel5 Enterprise Linux system
with SELinux enabled in Enforcing mode I assigned port 200 to vsftpd
(/etc/vsftpd/vsftpd.conf ,listen_port=200)and tried to start vsftpd using
/etc/init.d/vsftpd start but it failed to start. When i changed the port to
unpriveleged port 1029 and then tried starting it using /etc/init.d/vsftpd start
it started .

I didn't got any setroubleshoot log though . But I'm sure this is caused by
I request you to follow the method which I have given above to reproduce this
bug and reply me.


Comment 8 manoj 2007-08-29 04:19:42 UTC

Any updates about this bug.Still waiting for the response.Please go through my
comment no 5.


Comment 9 Maros Barabas 2007-08-29 10:49:22 UTC
Hi, add additional port 200 to selinux policy by:

semanage port -a -p tcp -t ftp_port_t 200

SeLinux deny changing ports for some services (to <1024) by default. This is not
a vsftpd bug.

Comment 10 manoj 2007-08-29 10:53:37 UTC
Thanks mbarabas.

Comment 11 Daniel Walsh 2007-08-31 10:19:59 UTC
Yes this is the correct thing to do.  You can customize selinux policy using
semanage.  (system-config-selinux)

Comment 12 Daniel Walsh 2007-08-31 10:21:07 UTC
BTW If you run setroubleshoot it should give you some of this information.

Comment 13 manoj 2007-08-31 10:35:41 UTC
I dont get any setroubleshoot alert for this :(
I have reverified this on multiple system.It would have been nice to get
Setroubleshoot alert for this case.


Note You need to log in before you can comment on or make changes to this bug.