Description of problem: Starting vsftpd server from command line with fresh install (of vsftpd) triggers AVC Denial in SELinux. Version-Release number of selected component (if applicable): 2.0.7-1 How reproducible: Should be easy to reproduce. Steps to Reproduce: 1. bash: yum install vsftpd 2. bash: service vsftpd start Actual results: SELinux pops up with notification when server is started. Expected results: Server to start without tripping SELinux. Additional info: SE Alert follows: Summary: SELinux is preventing the ftp daemon from writing files outside the home directory (socket). Detailed Description: SELinux has denied the ftp daemon write access to directories outside the home directory (socket). Someone has logged in via your ftp daemon and is trying to create or write a file. If you only setup ftp to allow anonymous ftp, this could signal a intrusion attempt. Allowing Access: If you do not want SELinux preventing ftp from writing files anywhere on the system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P allow_ftpd_full_access=1" Fix Command: setsebool -P allow_ftpd_full_access=1 Additional Information: Source Context unconfined_u:system_r:ftpd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects socket [ unix_stream_socket ] Source vsftpd Source Path /usr/sbin/vsftpd Port <Unknown> Host Vicki-laptop Source RPM Packages vsftpd-2.0.7-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-38.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_ftpd_full_access Host Name Vicki-laptop Platform Linux Vicki-laptop 2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686 Alert Count 2 First Seen Sun 18 Jan 2009 09:32:48 PM EST Last Seen Sun 18 Jan 2009 09:43:43 PM EST Local ID 5a137477-a6c9-4805-928c-1940913edd36 Line Numbers Raw Audit Messages node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23178]" dev=sockfs ino=23178 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc: denied { read write } for pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Vicki-laptop type=SYSCALL msg=audit(1232333023.520:65): arch=40000003 syscall=11 success=yes exit=0 a0=83f0a28 a1=83f0a90 a2=83f0c90 a3=0 items=0 ppid=6219 pid=6220 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0 key=(null)
Are you starting this from a konsole terminal?
Yes.
(In reply to comment #1) > Are you starting this from a konsole terminal? (Forgot to click 'reply') Yes.
This is a known bug with konsole terminals. They are leaking file descriptors. ls -lZ /proc/self/fd Will show you all of the open file descriptors on the konsole. It should look like ls -lZ /proc/self/fd lrwx------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 0 -> /dev/pts/0 lrwx------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 1 -> /dev/pts/0 lrwx------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 2 -> /dev/pts/0 lr-x------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 3 -> /proc/9943/fd But there are lots of file descriptrs that are not being closed on exec and SELinux notices this and closes the descriptor before executing the confined application. You can safely ignore these avc messages.
Thank you. I w(In reply to comment #4) > This is a known bug with konsole terminals. They are leaking file descriptors. > > ls -lZ /proc/self/fd > > Will show you all of the open file descriptors on the konsole. > > It should look like > > ls -lZ /proc/self/fd > lrwx------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 0 -> /dev/pts/0 > lrwx------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 1 -> /dev/pts/0 > lrwx------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 2 -> /dev/pts/0 > lr-x------ dwalsh dwalsh staff_u:staff_r:staff_t:s0 3 -> /proc/9943/fd > > But there are lots of file descriptrs that are not being closed on exec and > SELinux notices this and closes the descriptor before executing the confined > application. > > You can safely ignore these avc messages. Thank you. I'll look into switching terminals to prevent related behavior in SELinux.
Thank you for the bug report. This issue needs to be addressed by the upstream developers. Please submit a report at http://bugs.kde.org. You are requested to add the bugzilla link here for tracking purposes. Please make sure the bug isn't already in the upstream bug tracker before filing it.
*** This bug has been marked as a duplicate of bug 484370 ***