Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 703798

Summary: SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Unknown> (ftpd_t)
Product: Red Hat Enterprise Linux 5 Reporter: Aleš Mareček <amarecek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.7CC: devel, dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-11 10:49:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleš Mareček 2011-05-11 09:47:27 UTC 
Description of problem:

i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# sealert -l 0084035f-653d-4029-9770-6c95f81044ce

Summary:

SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Unknown> (ftpd_t).

Detailed Description:

SELinux denied access requested by vsftpd. It is not expected that this access
is required by vsftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:ftpd_t
Target Context                root:system_r:ftpd_t
Target Objects                None [ capability ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          hp-bl460c-02.rhts.eng.bos.redhat.com
Source RPM Packages           vsftpd-2.0.5-16.el5_6.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-302.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hp-bl460c-02.rhts.eng.bos.redhat.com
Platform                      Linux hp-bl460c-02.rhts.eng.bos.redhat.com
                              2.6.18-259.el5 #1 SMP Fri Apr 29 01:10:46 EDT 2011
                              i686 i686
Alert Count                   9
First Seen                    Tue May 10 09:46:02 2011
Last Seen                     Wed May 11 05:15:30 2011
Local ID                      0084035f-653d-4029-9770-6c95f81044ce
Line Numbers                  

Raw Audit Messages            

host=hp-bl460c-02.rhts.eng.bos.redhat.com type=AVC msg=audit(1305105330.545:295): avc:  denied  { dac_override } for  pid=32504 comm="vsftpd" capability=1 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability

host=hp-bl460c-02.rhts.eng.bos.redhat.com type=AVC msg=audit(1305105330.545:295): avc:  denied  { dac_read_search } for  pid=32504 comm="vsftpd" capability=2 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability

host=hp-bl460c-02.rhts.eng.bos.redhat.com type=SYSCALL msg=audit(1305105330.545:295): arch=40000003 syscall=61 success=no exit=-13 a0=46ef16 a1=0 a2=4769fc a3=1 items=0 ppid=32500 pid=32504 auid=0 uid=0 gid=0 euid=0 suid=501 fsuid=0 egid=0 sgid=501 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)



Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-302.el5
vsftpd-2.0.5-16.el5_6.1

How reproducible:
Always

Steps to Reproduce:
1. Install and configure vsftpd server:
cat <<EOF >/etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_std_format=NO
listen=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
background=YES
EOF
2. Create a user
3. Login to ftp server as created user

Actual results:
i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): bah
331 Please specify the password.
Password:
500 OOPS: chroot
Login failed.
ftp> quit
i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ls -laZ /home | grep bah
drwx------  bah  bah  user_u:object_r:user_home_dir_t  bah

i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ausearch -m avc -ts recent
- SNIP -
time->Wed May 11 05:28:04 2011
type=SYSCALL msg=audit(1305106084.981:340): arch=40000003 syscall=61 success=no exit=-13 a0=9d0f16 a1=0 a2=9d89fc a3=1 items=0 ppid=32657 pid=32661 auid=0 uid=0 gid=0 euid=0 suid=501 fsuid=0 egid=0 sgid=501 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1305106084.981:340): avc:  denied  { dac_read_search } for  pid=32661 comm="vsftpd" capability=2 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability
type=AVC msg=audit(1305106084.981:340): avc:  denied  { dac_override } for  pid=32661 comm="vsftpd" capability=1 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability


======================================

 - New user (bah2) has been created: useradd bah2

No chrooting => Same config file (/etc/vsftpd/vsftpd.conf) BUT WITH OPTION: chroot_local_user=NO
i:ppc64|m:ppc64 root@ibm-squad3-lp1 [vsftpd]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): bah2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,190,10)
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/home/bah2"
ftp> send vsftpd.conf
local: vsftpd.conf remote: vsftpd.conf
227 Entering Passive Mode (127,0,0,1,59,96)
553 Could not create file.

i:ppc64|m:ppc64 root@ibm-squad3-lp1 [vsftpd]# ausearch -m avc -ts recent
- SNIP -
time->Wed May 11 05:37:09 2011
type=SYSCALL msg=audit(1305106629.994:209): arch=14 syscall=5 success=no exit=-13 a0=80461d0 a1=10c41 a2=1b6 a3=6e66 items=0 ppid=4363 pid=4367 auid=0 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1305106629.994:209): avc:  denied  { create } for  pid=4367 comm="vsftpd" name="vsftpd.conf" scontext=root:system_r:ftpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file


Expected results:
no AVC, user is possible to store its files.

Additional info:
Comment 1 Aleš Mareček 2011-05-11 09:55:07 UTC 
fireftp log:
500 OOPS: chroot
500 OOPS: child died
Comment 2 Miroslav Grepl 2011-05-11 10:49:05 UTC 
Ales,
you need to turn on the ftp_home_dir boolean.

setsebool -P ftp_home_dir 1
Comment 3 Jason Woods 2023-10-30 11:38:47 UTC 
The chroot hold folder for the user needs to be accessible by root. (With SELinux enabled, vsftpd has the capability to override permissions removed, so you need to maintain access to the folder for both the user you will be running as, and the root user so that chroot can take place.)

I fixed this by assigning root as the group owner of the folder in question and assigning read permissions to group (root).