Summary: SELinux is preventing the ftp daemon from writing files outside the home directory (untitled folder). Detailed Description: SELinux has denied the ftp daemon write access to directories outside the home directory (untitled folder). Someone has logged in via your ftp daemon and is trying to create or write a file. If you only setup ftp to allow anonymous ftp, this could signal an intrusion attempt. Allowing Access: If you do not want SELinux preventing ftp from writing files anywhere on the system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P allow_ftpd_full_access=1" Fix Command: setsebool -P allow_ftpd_full_access=1 Additional Information: Source Context unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:httpd_user_content_t:s0 Target Objects untitled folder [ dir ] Source vsftpd Source Path /usr/sbin/vsftpd Port <Unknown> Host (removed) Source RPM Packages vsftpd-2.2.0-6.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-56.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_ftpd_full_access Host Name (removed) Platform Linux (removed) 2.6.31.6-166.fc12.i686 #1 SMP Wed Dec 9 11:14:59 EST 2009 i686 i686 Alert Count 5 First Seen Thu 17 Dec 2009 12:12:29 PM HST Last Seen Thu 17 Dec 2009 12:12:30 PM HST Local ID dadc8a55-39cb-493b-89ce-7fd0204066a2 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1261087950.905:30903): avc: denied { write } for pid=2864 comm="vsftpd" name=756E7469746C656420666F6C646572 dev=dm-0 ino=221451 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1261087950.905:30903): arch=40000003 syscall=5 success=no exit=-13 a0=2720968 a1=8c41 a2=1b6 a3=1b6 items=0 ppid=1 pid=2864 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-56.fc12,allow_ftpd_full_access,vsftpd,ftpd_t,httpd_user_content_t,dir,write audit2allow suggests: #============= ftpd_t ============== allow ftpd_t httpd_user_content_t:dir write;
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-60.fc12.noarch You do have the ftp_home_dir boolean turned on?
selinux-policy-3.6.32-63.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-63.fc12
selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184
selinux-policy-3.6.32-63.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.