Description of problem: If SELinux boolean ftp_home_dir is enabled, value allow_ftpd_anon_write and correct selinux context have no effect. Version-Release number of selected component (if applicable): vsftpd-2.0.5-16.el5 How reproducible: always Steps to Reproduce: (SELinux in Enforcing mode) 1. install vsftpd and set up a vsftpd server with anonymous upload enabled: anonymous_enable=YES local_enable=YES write_enable=YES anon_upload_enable=YES anon_mkdir_write_enable=YES 2. # setsebool -P ftp_home_dir 1 3. create a /var/ftp/inc directory drwxrwx--- 2 root ftp 4096 Feb 20 14:47 /var/ftp/inc/ 4. connect from another machine to the vsftpd and upload a file into the inc directory Actual results: File successfully uploaded! # ls -Z /var/ftp/ drwxrwx--- root ftp root:object_r:public_content_t inc drwxr-xr-x root root system_u:object_r:public_content_t pub # ls -Z /var/ftp/inc/ -rw------- ftp ftp root:object_r:public_content_t chz # getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off allow_tftp_anon_write --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_disable_trans --> off ftpd_is_daemon --> on httpd_enable_ftp_server --> off tftpd_disable_trans --> off Expected results: File upload shall be denied unless correct selinux context is set and allow_ftpd_anon_write is enabled. Additional info: 5. # setsebool -P ftp_home_dir 0 [File upload denied] 6. # setsebool -P allow_ftpd_anon_write 1 [File upload denied] 7. set correct selinux context # semanage fcontext -a -t public_content_rw_t "/var/ftp/inc(/.*)?" # restorecon -RvF /var/ftp/inc [File upload successfull]
Changed component to selinux-policy. Tomas, which policy package version are you using? Is this a regression introduced by latest policy?
# rpm -qa 'selinux-policy*' selinux-policy-2.4.6-255.el5 selinux-policy-targeted-2.4.6-255.el5 I am not sure, if it's a regression, I didn't try any previous version.
Fixed in selinux-policy-2.4.6-276.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html