Description of problem: SELinux is preventing the ftp daemon from reading users home directories (home). Version-Release number of selected component (if applicable):SELinux Policy Targetted 21 How reproducible: Steps to Reproduce: 1. On a Plain Rhel5 system with SELinux enabled in Enforcing mode (Target policy) I created 2 local account users test1 and test2.started vsftp using /etc/init.d//vsftd start. 2.Than from console I tried to connect ftp server using ftp localhost. I got login prompt of ftp. 3. I entered user name test1. It prompted me for password which I entered. Result : I was unable to login. I got the following SELinux denial setroubleshoot alert which I'm Pasting below. Actual results: Summary SELinux is preventing the ftp daemon from reading users home directories (home). Detailed Description SELinux has denied the ftp daemon access to users home directories (home). Someone is attempting to login via your ftp daemon to a user account. If you only setup ftp to allow anonymous ftp, this could signal a intrusion attempt. Allowing Access If you want ftp to allow users access to their home directories you need to turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1" The following command will allow this access: setsebool -P ftp_home_dir=1 Additional Information Source Context root:system_r:ftpd_t Target Context system_u:object_r:home_root_t Target Objects home [ dir ] Affected RPM Packages vsftpd-2.0.5-10.el5 [application]filesystem-2.4.0-1 [target] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.ftp_home_dir Host Name Rhel5.test.com Platform Linux Rhel5.test.com 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:14 EST 2007 x86_64 x86_64 Alert Count 1 Line Numbers Raw Audit Messages avc: denied { search } for comm="vsftpd" dev=sda3 egid=501 euid=501 exe="/usr/sbin/vsftpd" exit=-13 fsgid=501 fsuid=501 gid=0 items=0 name="home" pid=2896 scontext=root:system_r:ftpd_t:s0 sgid=501 subj=root:system_r:ftpd_t:s0 suid=501 tclass=dir tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0 Expected results: Additional info: I have read on net that there is no SELinux policy for ftp daemon . I mean Vsftpd can access entire file system like a system with no SELinux policy( DAC system). When i executed setsebool -P ftp_home_dir=1 I was able to login via local accounts.
That is the way it is supposed to work. This is not a bug, we are enforcing that vsftpd runs in either anonymous ftp mode or able to access homedirectories. The idea is if you only use ftp as an anonymous server and there is a bug that allows a user to gain access to you machine, it would only get access to the anonymous ftp areas, not your homedirectories.
Thanks Daniel for the quick response.Can u please look into other bug 252585 which I have opened.