Bug 256121 - SELinux is preventing the ftp daemon from reading users home directories (home).
SELinux is preventing the ftp daemon from reading users home directories ...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-27 07:07 EDT by manoj
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-27 09:29:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description manoj 2007-08-27 07:07:47 EDT
Description of problem: SELinux is preventing the ftp daemon from reading users
home directories
    (home).


Version-Release number of selected component (if applicable):SELinux Policy
Targetted 21


How reproducible:


Steps to Reproduce:
1. On a Plain Rhel5 system with SELinux enabled in Enforcing mode (Target
policy) I created 2 local account users test1 and test2.started vsftp using
/etc/init.d//vsftd start.

2.Than from console I tried to connect ftp server using ftp localhost. I got
login prompt of ftp. 

3. I entered user name test1. It prompted me for password which I entered.
 Result : I was unable to login. I got the following SELinux denial
setroubleshoot alert which I'm Pasting below.
  
Actual results:

Summary
    SELinux is preventing the ftp daemon from reading users home directories
    (home).

Detailed Description
    SELinux has denied the ftp daemon access to users home directories (home).
    Someone is attempting to login via your ftp daemon to a user account. If you
    only setup ftp to allow anonymous ftp, this could signal a intrusion
    attempt.

Allowing Access
    If you want ftp to allow users access to their home directories you need to
    turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1"

    The following command will allow this access:
    setsebool -P ftp_home_dir=1

Additional Information

Source Context                root:system_r:ftpd_t
Target Context                system_u:object_r:home_root_t
Target Objects                home [ dir ]
Affected RPM Packages         vsftpd-2.0.5-10.el5
                              [application]filesystem-2.4.0-1 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.ftp_home_dir
Host Name                     Rhel5.test.com
Platform                      Linux Rhel5.test.com 2.6.18-8.el5 #1 SMP Fri Jan
                              26 14:15:14 EST 2007 x86_64 x86_64
Alert Count                   1
Line Numbers

Raw Audit Messages

avc: denied { search } for comm="vsftpd" dev=sda3 egid=501 euid=501
exe="/usr/sbin/vsftpd" exit=-13 fsgid=501 fsuid=501 gid=0 items=0 name="home"
pid=2896 scontext=root:system_r:ftpd_t:s0 sgid=501 subj=root:system_r:ftpd_t:s0
suid=501 tclass=dir tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0



Expected results:


Additional info:

I have read on net that there is no SELinux policy for ftp daemon . I mean
Vsftpd can access entire file system like a system with no SELinux policy( DAC
system).

When i executed setsebool -P ftp_home_dir=1 I was able to login via local accounts.
Comment 1 Daniel Walsh 2007-08-27 09:29:11 EDT
That is the way it is supposed to work.  This is not a bug, we are enforcing
that vsftpd runs in either anonymous ftp mode or able to access homedirectories.
 The idea is if you only use ftp as an anonymous server and there is a bug that
allows a user to gain access to you  machine, it would only get access to the
anonymous ftp areas, not your homedirectories.
Comment 2 manoj 2007-08-29 00:25:12 EDT
Thanks Daniel for the quick response.Can u please look into other bug 252585
which I have opened.

Note You need to log in before you can comment on or make changes to this bug.