Description of problem: SELinux denied access requested by /usr/sbin/proftpd. It is not expected that this access is required by /usr/sbin/proftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.Additional InformationSource Context: system_u:system_r:ftpd_tTarget Context: system_u:system_r:crond_t:SystemLow-SystemHighTarget Objects: None [ key ]Affected RPM Packages: psa-proftpd-1.3.0-fc7.build83071218.19 [application]Policy RPM: selinux-policy-2.6.4-67.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchallHost 2.6.23.12-52.fc7 #1 SMP Tue Dec 18 21:18:02 EST 2007 i686 i686 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Raw Audit Messages :avc: denied { search } for comm="in.proftpd" egid=0 euid=0 exe="/usr/sbin/proftpd" exit=205729777 fsgid=0 fsuid=0 gid=2524 items=0 pid=22365 scontext=system_u:system_r:ftpd_t:s0 sgid=0 subj=system_u:system_r:ftpd_t:s0 suid=0 tclass=key tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=10001
*** Bug 428552 has been marked as a duplicate of this bug. ***
First off this is a bug in configuration. But I do not understand how you get to this. It looks like proftp executed a pam_keyinit and then somehow started cron.
Maybe I can explain. The server has several domains on it. I have three external camera's that ftp in images every 1 minute. Now they themselves login via ftp and put the image into the domains /httpdocs/images So I assume that pam is validating the ftp log in? Cron, well you got me unless as its occuring every 1 minute exactly (synced off the gps ntpd server on the network) its assuming cron? There are some scripts that run by con on the domains, but these use wget to fetch stuff not proftp, so its got to be the camera's ftping in. Its extremly annoying, 3 camera's ftp in 1 image every 1 minute, and 1 remote camera ftp's in 1 image every 5 minutes, in other words a LOT of generated messages. What more info would you like?
Remove pam_keyinit from the cron pam file (system-auth) will probably get rid of it. Or you could allow this, by executing # grep crond /var/log/audit/audit.log | audit2allow -M mycron # semodule -i mycron.pp It is not a security problem.