Summary: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. Detailed Description: SELinux denied access requested by vsftpd. It is not expected that this access is required by vsftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 Target Context unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source vsftpd Source Path /usr/sbin/vsftpd Port <Unknown> Host (removed) Source RPM Packages vsftpd-2.2.0-5.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 7 First Seen Fri 13 Nov 2009 10:44:31 AM EST Last Seen Fri 13 Nov 2009 10:50:32 AM EST Local ID b6fb037c-fdf8-424d-8f62-1fd31803ce8d Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1258127432.231:30676): avc: denied { net_raw } for pid=19392 comm="vsftpd" capability=13 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability node=(removed) type=SYSCALL msg=audit(1258127432.231:30676): arch=c000003e syscall=56 success=no exit=-1 a0=40000011 a1=0 a2=7f630eecf84e a3=0 items=0 ppid=0 pid=19392 auid=3633 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=25 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,catchall,vsftpd,ftpd_t,ftpd_t,capability,net_raw audit2allow suggests: #============= ftpd_t ============== allow ftpd_t self:capability net_raw;
*** Bug 540560 has been marked as a duplicate of this bug. ***
Fixed in net-next-2.6 by 13f18aa05f5abe135f47b6417537ae2b2fedc18c 3f378b684453f2a028eda463ce383370545d9cc9 c84b3268da3b85c9d8a9e504e1001a14ed829e94 This will land in Linus' tree in the 2.6.33 development window.
*** Bug 542002 has been marked as a duplicate of this bug. ***
*** Bug 532180 has been marked as a duplicate of this bug. ***
*** Bug 544550 has been marked as a duplicate of this bug. ***
Is there any workaround currently? This seems to cause FTP clients' connections to get dropped when they try to enter passive mode.
You can add these rules for now using # grep ftp /var/log/audit/audit.log | audit2allow -M brokenftp # semodule -i brokenftp.pp
*** Bug 547339 has been marked as a duplicate of this bug. ***
*** Bug 565374 has been marked as a duplicate of this bug. ***
should be fixed in 2.6.32
(In reply to comment #10) > should be fixed in 2.6.32 It's not fixed in .32. $ uname -a Linux balthasar 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux $ uptime 11:10:51 up 11:58, 1 user, load average: 0.04, 0.06, 0.02 # tail -n1 /var/log/messages May 10 10:56:46 balthasar setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access . For complete SELinux messages. run sealert -l 62fd1d32-516a-4d86-99df-b835f0c4d34c
Can you attach the raw audit messages from the denial? (at the bottom of the sealert output it suggests?) I'm trying to verify I thought it was in .32 and not .33.....
So basically I just lied in comment #10..... $ git tag -l "v2.6*" --contains c84b3268da3b85c9d8a9e504e1001a14ed829e94 v2.6.33 v2.6.33-rc1 v2.6.33-rc2 v2.6.33-rc3 v2.6.33-rc4 v2.6.33-rc5 v2.6.33-rc6 v2.6.33-rc7 v2.6.33-rc8 v2.6.34-rc1 v2.6.34-rc2 v2.6.34-rc3 v2.6.34-rc4 v2.6.34-rc5 v2.6.34-rc6 v2.6.34-rc7 I did not appear in mainline until 2.6.33-rc1. The first real release was 2.6.33 :( I'm sorry for lieing. You can just carry the policy module Dan suggested in comment #7 until you get on .33.