Summary: SELinux is preventing /usr/sbin/proftpd "search" access to /var/www. Detailed Description: SELinux denied access to /var/www requested by proftpd. /var/www has a context used for sharing by a different program. If you would like to share /var/www from proftpd also, you need to change its file context to public_content_t. If you did not intend to allow this access, this could signal an intrusion attempt. Allowing Access: You can alter the file context by executing chcon -t public_content_t '/var/www' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t public_content_t '/var/www'" Fix Command: chcon -t public_content_t '/var/www' Additional Information: Source Context system_u:system_r:ftpd_t:s0-s0:c0.c1023 Target Context system_u:object_r:httpd_sys_content_t:s0 Target Objects /var/www [ dir ] Source vsftpd Source Path /usr/sbin/vsftpd Port <Unknown> Host (removed) Source RPM Packages proftpd-1.3.2c-1.fc12 Target RPM Packages httpd-2.2.14-1.fc12 Policy RPM selinux-policy-3.6.32-59.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name public_content Host Name (removed) Platform Linux (removed) 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 22 First Seen Mon 01 Feb 2010 03:41:18 PM BRST Last Seen Mon 01 Feb 2010 05:31:36 PM BRST Local ID 06298108-25e8-40a7-bf5a-d7421488fac4 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1265052696.368:37091): avc: denied { search } for pid=15030 comm="proftpd" name="www" dev=dm-0 ino=40081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1265052696.368:37091): arch=40000003 syscall=195 success=no exit=-13 a0=a10d998 a1=bf9ecfa8 a2=3f6ff4 a3=0 items=0 ppid=14797 pid=15030 auid=48 uid=0 gid=489 euid=0 suid=0 fsuid=0 egid=0 sgid=489 fsgid=0 tty=(none) ses=13 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-59.fc12,public_content,vsftpd,ftpd_t,httpd_sys_content_t,dir,search audit2allow suggests: #============= ftpd_t ============== #!!!! This avc can be allowed using one of the these booleans: # allow_ftpd_full_access, allow_ftpd_full_access allow ftpd_t httpd_sys_content_t:dir search;
Were you using webmin to manage ftp server? Any reason why the ftp server would want to look at apache content?
Miroslav, Please add # webmin seems to cause this. apache_search_sys_content(daemon) To init.te/.
Fixed in selinux-policy-3.6.32-87.fc12
selinux-policy-3.6.32-89.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-89.fc12
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1836
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.