Bug 703798 - SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Unknown> (ftpd_t)
SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Unknown> (ftpd_t)
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-11 05:47 EDT by Aleš Mareček
Modified: 2011-05-11 06:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-11 06:49:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleš Mareček 2011-05-11 05:47:27 EDT
Description of problem:

i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# sealert -l 0084035f-653d-4029-9770-6c95f81044ce

Summary:

SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Unknown> (ftpd_t).

Detailed Description:

SELinux denied access requested by vsftpd. It is not expected that this access
is required by vsftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:ftpd_t
Target Context                root:system_r:ftpd_t
Target Objects                None [ capability ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          hp-bl460c-02.rhts.eng.bos.redhat.com
Source RPM Packages           vsftpd-2.0.5-16.el5_6.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-302.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hp-bl460c-02.rhts.eng.bos.redhat.com
Platform                      Linux hp-bl460c-02.rhts.eng.bos.redhat.com
                              2.6.18-259.el5 #1 SMP Fri Apr 29 01:10:46 EDT 2011
                              i686 i686
Alert Count                   9
First Seen                    Tue May 10 09:46:02 2011
Last Seen                     Wed May 11 05:15:30 2011
Local ID                      0084035f-653d-4029-9770-6c95f81044ce
Line Numbers                  

Raw Audit Messages            

host=hp-bl460c-02.rhts.eng.bos.redhat.com type=AVC msg=audit(1305105330.545:295): avc:  denied  { dac_override } for  pid=32504 comm="vsftpd" capability=1 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability

host=hp-bl460c-02.rhts.eng.bos.redhat.com type=AVC msg=audit(1305105330.545:295): avc:  denied  { dac_read_search } for  pid=32504 comm="vsftpd" capability=2 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability

host=hp-bl460c-02.rhts.eng.bos.redhat.com type=SYSCALL msg=audit(1305105330.545:295): arch=40000003 syscall=61 success=no exit=-13 a0=46ef16 a1=0 a2=4769fc a3=1 items=0 ppid=32500 pid=32504 auid=0 uid=0 gid=0 euid=0 suid=501 fsuid=0 egid=0 sgid=501 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)



Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-302.el5
vsftpd-2.0.5-16.el5_6.1

How reproducible:
Always

Steps to Reproduce:
1. Install and configure vsftpd server:
cat <<EOF >/etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_std_format=NO
listen=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
background=YES
EOF
2. Create a user
3. Login to ftp server as created user

Actual results:
i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): bah
331 Please specify the password.
Password:
500 OOPS: chroot
Login failed.
ftp> quit
i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ls -laZ /home | grep bah
drwx------  bah  bah  user_u:object_r:user_home_dir_t  bah

i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ausearch -m avc -ts recent
- SNIP -
time->Wed May 11 05:28:04 2011
type=SYSCALL msg=audit(1305106084.981:340): arch=40000003 syscall=61 success=no exit=-13 a0=9d0f16 a1=0 a2=9d89fc a3=1 items=0 ppid=32657 pid=32661 auid=0 uid=0 gid=0 euid=0 suid=501 fsuid=0 egid=0 sgid=501 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1305106084.981:340): avc:  denied  { dac_read_search } for  pid=32661 comm="vsftpd" capability=2 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability
type=AVC msg=audit(1305106084.981:340): avc:  denied  { dac_override } for  pid=32661 comm="vsftpd" capability=1 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability


======================================

 - New user (bah2) has been created: useradd bah2

No chrooting => Same config file (/etc/vsftpd/vsftpd.conf) BUT WITH OPTION: chroot_local_user=NO
i:ppc64|m:ppc64 root@ibm-squad3-lp1 [vsftpd]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): bah2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,190,10)
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/home/bah2"
ftp> send vsftpd.conf
local: vsftpd.conf remote: vsftpd.conf
227 Entering Passive Mode (127,0,0,1,59,96)
553 Could not create file.

i:ppc64|m:ppc64 root@ibm-squad3-lp1 [vsftpd]# ausearch -m avc -ts recent
- SNIP -
time->Wed May 11 05:37:09 2011
type=SYSCALL msg=audit(1305106629.994:209): arch=14 syscall=5 success=no exit=-13 a0=80461d0 a1=10c41 a2=1b6 a3=6e66 items=0 ppid=4363 pid=4367 auid=0 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1305106629.994:209): avc:  denied  { create } for  pid=4367 comm="vsftpd" name="vsftpd.conf" scontext=root:system_r:ftpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file


Expected results:
no AVC, user is possible to store its files.

Additional info:
Comment 1 Aleš Mareček 2011-05-11 05:55:07 EDT
fireftp log:
500 OOPS: chroot
500 OOPS: child died
Comment 2 Miroslav Grepl 2011-05-11 06:49:05 EDT
Ales,
you need to turn on the ftp_home_dir boolean.

setsebool -P ftp_home_dir 1

Note You need to log in before you can comment on or make changes to this bug.