Bug 566975 - SELinux boolean value ftp_home_dir overrides allow_ftpd_anon_write and correct selinux context
SELinux boolean value ftp_home_dir overrides allow_ftpd_anon_write and correc...
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2010-02-20 15:36 EST by Tomas Lestach
Modified: 2012-10-15 10:52 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-30 03:49:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Lestach 2010-02-20 15:36:16 EST
Description of problem:
If SELinux boolean ftp_home_dir is enabled, value allow_ftpd_anon_write and correct selinux context have no effect.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
(SELinux in Enforcing mode)

1. install vsftpd and set up a vsftpd server with anonymous upload enabled:

2. # setsebool -P ftp_home_dir 1

3. create a /var/ftp/inc directory
drwxrwx--- 2 root ftp 4096 Feb 20 14:47 /var/ftp/inc/

4. connect from another machine to the vsftpd and upload a file into the inc directory

Actual results:
File successfully uploaded!

# ls -Z /var/ftp/
drwxrwx---  root ftp  root:object_r:public_content_t   inc
drwxr-xr-x  root root system_u:object_r:public_content_t pub

# ls -Z /var/ftp/inc/
-rw-------  ftp ftp root:object_r:public_content_t   chz

# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off

Expected results:
File upload shall be denied unless correct selinux context is set and allow_ftpd_anon_write is enabled.

Additional info:
5. # setsebool -P ftp_home_dir 0
[File upload denied]

6. # setsebool -P allow_ftpd_anon_write 1
[File upload denied]

7. set correct selinux context
# semanage fcontext -a -t public_content_rw_t "/var/ftp/inc(/.*)?"
# restorecon -RvF /var/ftp/inc
[File upload successfull]
Comment 1 Eduard Benes 2010-02-22 04:30:26 EST
Changed component to selinux-policy. 

Tomas, which policy package version are you using? 
Is this a regression introduced by latest policy?
Comment 3 Tomas Lestach 2010-02-22 04:52:13 EST
# rpm -qa 'selinux-policy*'

I am not sure, if it's a regression, I didn't try any previous version.
Comment 9 Miroslav Grepl 2010-02-23 11:45:12 EST
Fixed in selinux-policy-2.4.6-276.el5
Comment 13 errata-xmlrpc 2010-03-30 03:49:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.