This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 480569 - SELinux AVC Denial when starting vsftpd server
SELinux AVC Denial when starting vsftpd server
Status: CLOSED DUPLICATE of bug 484370
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
10
i386 Linux
low Severity low
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-18 21:50 EST by Victoria Earl
Modified: 2009-02-06 09:47 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-06 09:47:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Victoria Earl 2009-01-18 21:50:10 EST
Description of problem: Starting vsftpd server from command line with fresh install (of vsftpd) triggers AVC Denial in SELinux.


Version-Release number of selected component (if applicable): 2.0.7-1


How reproducible: Should be easy to reproduce.


Steps to Reproduce:
1.  bash: yum install vsftpd
2.  bash: service vsftpd start
  
Actual results:
SELinux pops up with notification when server is started.

Expected results:
Server to start without tripping SELinux.

Additional info:
SE Alert follows:

Summary:

SELinux is preventing the ftp daemon from writing files outside the home
directory (socket).

Detailed Description:

SELinux has denied the ftp daemon write access to directories outside the home
directory (socket). Someone has logged in via your ftp daemon and is trying to
create or write a file. If you only setup ftp to allow anonymous ftp, this could
signal a intrusion attempt.

Allowing Access:

If you do not want SELinux preventing ftp from writing files anywhere on the
system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
allow_ftpd_full_access=1"

Fix Command:

setsebool -P allow_ftpd_full_access=1

Additional Information:

Source Context                unconfined_u:system_r:ftpd_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          Vicki-laptop
Source RPM Packages           vsftpd-2.0.7-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-38.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_ftpd_full_access
Host Name                     Vicki-laptop
Platform                      Linux Vicki-laptop 2.6.27.9-159.fc10.i686 #1 SMP
                              Tue Dec 16 15:12:04 EST 2008 i686 i686
Alert Count                   2
First Seen                    Sun 18 Jan 2009 09:32:48 PM EST
Last Seen                     Sun 18 Jan 2009 09:43:43 PM EST
Local ID                      5a137477-a6c9-4805-928c-1940913edd36
Line Numbers                  

Raw Audit Messages            

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23178]" dev=sockfs ino=23178 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=AVC msg=audit(1232333023.520:65): avc:  denied  { read write } for  pid=6220 comm="vsftpd" path="socket:[23108]" dev=sockfs ino=23108 scontext=unconfined_u:system_r:ftpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=Vicki-laptop type=SYSCALL msg=audit(1232333023.520:65): arch=40000003 syscall=11 success=yes exit=0 a0=83f0a28 a1=83f0a90 a2=83f0c90 a3=0 items=0 ppid=6219 pid=6220 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-01-19 15:31:44 EST
Are you starting this from a konsole terminal?
Comment 2 Victoria Earl 2009-01-19 16:01:08 EST
Yes.
Comment 3 Victoria Earl 2009-01-19 16:01:50 EST
(In reply to comment #1)
> Are you starting this from a konsole terminal?

(Forgot to click 'reply')

Yes.
Comment 4 Daniel Walsh 2009-01-19 16:09:28 EST
This is a known bug with konsole terminals.  They are leaking file descriptors.

ls -lZ /proc/self/fd

Will show you all of the open file descriptors on the konsole.

It should look like

ls -lZ /proc/self/fd
lrwx------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       0 -> /dev/pts/0
lrwx------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       1 -> /dev/pts/0
lrwx------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       2 -> /dev/pts/0
lr-x------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       3 -> /proc/9943/fd

But there are lots of file descriptrs that are not being closed on exec and SELinux notices this and closes the descriptor before executing the confined application.

You can safely ignore these avc messages.
Comment 5 Victoria Earl 2009-01-19 16:37:12 EST
Thank you.  I w(In reply to comment #4)
> This is a known bug with konsole terminals.  They are leaking file descriptors.
> 
> ls -lZ /proc/self/fd
> 
> Will show you all of the open file descriptors on the konsole.
> 
> It should look like
> 
> ls -lZ /proc/self/fd
> lrwx------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       0 -> /dev/pts/0
> lrwx------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       1 -> /dev/pts/0
> lrwx------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       2 -> /dev/pts/0
> lr-x------  dwalsh dwalsh staff_u:staff_r:staff_t:s0       3 -> /proc/9943/fd
> 
> But there are lots of file descriptrs that are not being closed on exec and
> SELinux notices this and closes the descriptor before executing the confined
> application.
> 
> You can safely ignore these avc messages.

Thank you.  I'll look into switching terminals to prevent related behavior in SELinux.
Comment 6 Steven M. Parrish 2009-02-04 07:35:52 EST
Thank you for the bug report.  This issue needs to be addressed by the upstream developers.  Please submit a report at http://bugs.kde.org. You are requested to add the bugzilla link here for tracking purposes. Please make sure the bug isn't already in the upstream bug tracker before filing it.
Comment 7 Steven M. Parrish 2009-02-06 09:47:56 EST

*** This bug has been marked as a duplicate of bug 484370 ***

Note You need to log in before you can comment on or make changes to this bug.