Hide Forgot
Description of problem: i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# sealert -l 0084035f-653d-4029-9770-6c95f81044ce Summary: SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Unknown> (ftpd_t). Detailed Description: SELinux denied access requested by vsftpd. It is not expected that this access is required by vsftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:ftpd_t Target Context root:system_r:ftpd_t Target Objects None [ capability ] Source vsftpd Source Path /usr/sbin/vsftpd Port <Unknown> Host hp-bl460c-02.rhts.eng.bos.redhat.com Source RPM Packages vsftpd-2.0.5-16.el5_6.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-302.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hp-bl460c-02.rhts.eng.bos.redhat.com Platform Linux hp-bl460c-02.rhts.eng.bos.redhat.com 2.6.18-259.el5 #1 SMP Fri Apr 29 01:10:46 EDT 2011 i686 i686 Alert Count 9 First Seen Tue May 10 09:46:02 2011 Last Seen Wed May 11 05:15:30 2011 Local ID 0084035f-653d-4029-9770-6c95f81044ce Line Numbers Raw Audit Messages host=hp-bl460c-02.rhts.eng.bos.redhat.com type=AVC msg=audit(1305105330.545:295): avc: denied { dac_override } for pid=32504 comm="vsftpd" capability=1 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability host=hp-bl460c-02.rhts.eng.bos.redhat.com type=AVC msg=audit(1305105330.545:295): avc: denied { dac_read_search } for pid=32504 comm="vsftpd" capability=2 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability host=hp-bl460c-02.rhts.eng.bos.redhat.com type=SYSCALL msg=audit(1305105330.545:295): arch=40000003 syscall=61 success=no exit=-13 a0=46ef16 a1=0 a2=4769fc a3=1 items=0 ppid=32500 pid=32504 auid=0 uid=0 gid=0 euid=0 suid=501 fsuid=0 egid=0 sgid=501 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-2.4.6-302.el5 vsftpd-2.0.5-16.el5_6.1 How reproducible: Always Steps to Reproduce: 1. Install and configure vsftpd server: cat <<EOF >/etc/vsftpd/vsftpd.conf anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=NO xferlog_std_format=NO listen=YES chroot_local_user=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES background=YES EOF 2. Create a user 3. Login to ftp server as created user Actual results: i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:root): bah 331 Please specify the password. Password: 500 OOPS: chroot Login failed. ftp> quit i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ls -laZ /home | grep bah drwx------ bah bah user_u:object_r:user_home_dir_t bah i:i386|m:i686 root@hp-bl460c-02 [vsftpd]# ausearch -m avc -ts recent - SNIP - time->Wed May 11 05:28:04 2011 type=SYSCALL msg=audit(1305106084.981:340): arch=40000003 syscall=61 success=no exit=-13 a0=9d0f16 a1=0 a2=9d89fc a3=1 items=0 ppid=32657 pid=32661 auid=0 uid=0 gid=0 euid=0 suid=501 fsuid=0 egid=0 sgid=501 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null) type=AVC msg=audit(1305106084.981:340): avc: denied { dac_read_search } for pid=32661 comm="vsftpd" capability=2 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability type=AVC msg=audit(1305106084.981:340): avc: denied { dac_override } for pid=32661 comm="vsftpd" capability=1 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability ====================================== - New user (bah2) has been created: useradd bah2 No chrooting => Same config file (/etc/vsftpd/vsftpd.conf) BUT WITH OPTION: chroot_local_user=NO i:ppc64|m:ppc64 root@ibm-squad3-lp1 [vsftpd]# ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:root): bah2 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,190,10) 150 Here comes the directory listing. 226 Directory send OK. ftp> pwd 257 "/home/bah2" ftp> send vsftpd.conf local: vsftpd.conf remote: vsftpd.conf 227 Entering Passive Mode (127,0,0,1,59,96) 553 Could not create file. i:ppc64|m:ppc64 root@ibm-squad3-lp1 [vsftpd]# ausearch -m avc -ts recent - SNIP - time->Wed May 11 05:37:09 2011 type=SYSCALL msg=audit(1305106629.994:209): arch=14 syscall=5 success=no exit=-13 a0=80461d0 a1=10c41 a2=1b6 a3=6e66 items=0 ppid=4363 pid=4367 auid=0 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null) type=AVC msg=audit(1305106629.994:209): avc: denied { create } for pid=4367 comm="vsftpd" name="vsftpd.conf" scontext=root:system_r:ftpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file Expected results: no AVC, user is possible to store its files. Additional info:
fireftp log: 500 OOPS: chroot 500 OOPS: child died
Ales, you need to turn on the ftp_home_dir boolean. setsebool -P ftp_home_dir 1