Bug 428551 - SELinux is preventing /usr/sbin/proftpd (ftpd_t) "search" to (crond_t).
Summary: SELinux is preventing /usr/sbin/proftpd (ftpd_t) "search" to (crond_t).
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 7
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
: 428552 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2008-01-13 05:52 UTC by David
Modified: 2008-01-15 14:47 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-15 14:47:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description David 2008-01-13 05:52:05 UTC
Description of problem:

SELinux denied access requested by /usr/sbin/proftpd. It is not expected that
this access is required by /usr/sbin/proftpd and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.Allowing AccessYou can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against this
package.Additional InformationSource Context:  system_u:system_r:ftpd_tTarget
Context:  system_u:system_r:crond_t:SystemLow-SystemHighTarget Objects:  None [
key ]Affected RPM Packages:  psa-proftpd-1.3.0-fc7.build83071218.19
[application]Policy RPM:  selinux-policy-2.6.4-67.fc7Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  PermissivePlugin Name:  plugins.catchallHost #1 SMP Tue
Dec 18 21:18:02 EST 2007 i686 i686

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 David 2008-01-13 05:53:59 UTC
Raw Audit Messages :avc: denied { search } for comm="in.proftpd" egid=0 euid=0
exe="/usr/sbin/proftpd" exit=205729777 fsgid=0 fsuid=0 gid=2524 items=0
pid=22365 scontext=system_u:system_r:ftpd_t:s0 sgid=0
subj=system_u:system_r:ftpd_t:s0 suid=0 tclass=key
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=10001 

Comment 2 Daniel Walsh 2008-01-14 17:38:05 UTC
*** Bug 428552 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2008-01-14 17:40:16 UTC
First off this is a bug in configuration.  But I do not understand how you get
to this.  It looks like proftp executed a pam_keyinit and then somehow started

Comment 4 David 2008-01-15 00:15:49 UTC
Maybe I can explain.  The server has several domains on it.  I have three
external camera's that ftp in images every 1 minute.

Now they themselves login via ftp and put the image into the domains

So I assume that pam is validating the ftp log in?

Cron, well you got me unless as its occuring every 1 minute exactly (synced off
the gps ntpd server on the network) its assuming cron?

There are some scripts that run by con on the domains, but these use wget to
fetch stuff not proftp, so its got to be the camera's ftping in.

Its extremly annoying, 3 camera's ftp in 1 image every 1 minute, and 1 remote
camera ftp's in 1 image every 5 minutes, in other words a LOT of generated messages.

What more info would you like?

Comment 5 Daniel Walsh 2008-01-15 14:47:07 UTC
Remove pam_keyinit from the cron pam file (system-auth)
will probably get rid of it.  

Or you could allow this, by executing 

# grep crond /var/log/audit/audit.log | audit2allow -M mycron
# semodule -i mycron.pp

It is not a security problem.

Note You need to log in before you can comment on or make changes to this bug.