Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 713459

Summary: missing rule for ftpd_t
Product: Red Hat Enterprise Linux 6 Reporter: Zbysek MRAZ <zmraz>
Component: krb5-applAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dpal, dwalsh, ebenes, jplans, nalin, prc
Target Milestone: rc   
Target Release: 6.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-appl-1.0.1-3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 17:36:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbysek MRAZ 2011-06-15 13:25:56 UTC 
Description of problem:
When trying to login as anonymous user to gssftp daemon I got Login failed. I tried to allow allow_ftpd_anon_write, ftp_home_dir and allow_ftpd_full_access booleans, neither of it helped.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch
krb5-appl-servers-1.0.1-2.el6.i686

How reproducible:
100%

Steps to Reproduce:
1. turn on kerberos gssftp daemon
2. login as anonymous user

  
Actual results:
.[root@i386-6s-m1 ~]# ftp `hostname`
Connected to i386-6s-m1.ss.eng.bos.redhat.com.
220 i386-6s-m1.ss.eng.bos.redhat.com FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Unspecified GSS failure.  Minor code may provide more information
GSSAPI error minor: Credentials cache file '/tmp/krb5cc_0' not found
GSSAPI error: initializing context
GSSAPI authentication failed
Name (i386-6s-m1.ss.eng.bos.redhat.com:root): anonymous
331 Guest login ok, send ident as password.
Password:
550 Can't open PAM session.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye


audit.log:
time->Wed Jun 15 09:09:33 2011
type=SYSCALL msg=audit(1308143373.006:30826): arch=40000003 syscall=4 success=no exit=-13 a0=4 a1=f148d8 a2=38 a3=ffffffff items=0 ppid=31336 pid=31352 auid=14 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4611 comm="ftpd" exe="/usr/kerberos/sbin/ftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1308143373.006:30826): avc:  denied  { compute_user } for  pid=31352 comm="ftpd" scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security
----
time->Wed Jun 15 09:09:33 2011
type=SYSCALL msg=audit(1308143373.006:30827): arch=40000003 syscall=4 success=no exit=-13 a0=4 a1=f148d8 a2=32 a3=ffffffff items=0 ppid=31336 pid=31352 auid=14 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4611 comm="ftpd" exe="/usr/kerberos/sbin/ftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1308143373.006:30827): avc:  denied  { compute_user } for  pid=31352 comm="ftpd" scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security


# ausearch -m AVC -ts recent | grep ftp | audit2allow
#============= ftpd_t ==============
allow ftpd_t security_t:security compute_user;


/var/log/secure
Jun 15 09:09:33 i386-6s-m1 ftpd[31352]: pam_unix(gssftp:session): session opened for user ftp by (uid=0)
Jun 15 09:09:33 i386-6s-m1 ftpd[31352]: pam_selinux(gssftp:session): Unable to get valid context for ftp



Expected results:
# ftp `hostname`
Connected to i386-6s-m1.ss.eng.bos.redhat.com.
220 i386-6s-m1.ss.eng.bos.redhat.com FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Unspecified GSS failure.  Minor code may provide more information
GSSAPI error minor: Credentials cache file '/tmp/krb5cc_0' not found
GSSAPI error: initializing context
GSSAPI authentication failed
Name (i386-6s-m1.ss.eng.bos.redhat.com:root): anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.


Additional info:
Same on RHEL5 works without problems
Comment 1 Daniel Walsh 2011-06-15 13:47:32 UTC 
This looks like pam_selinux is being called within gssftp's pam stack.
Comment 2 Nalin Dahyabhai 2011-06-15 13:59:51 UTC 
It is, yes.
Comment 3 Daniel Walsh 2011-06-15 18:13:20 UTC 
Well it should not, shouldn't it just use the /etc/pam.d/ftpd?
Comment 4 Nalin Dahyabhai 2011-06-15 18:32:32 UTC 
Well there's no /etc/pam.d/ftpd, and we wouldn't want to be dragging a different FTP server onto the system with a file dependency.  Does the vsftpd configuration look right?
Comment 5 Daniel Walsh 2011-06-15 20:24:32 UTC 
That one works, (Well at least I have never seen this bug).
Comment 6 Nalin Dahyabhai 2011-06-15 20:35:45 UTC 
Good enough.  I'll just grab a copy of the file from source control and use it.
Comment 7 Nalin Dahyabhai 2011-06-20 18:01:50 UTC 
The GSSAPI-aware FTP server and its configuration are actually in the krb5-appl package in 6; changing assigned component.
Comment 10 errata-xmlrpc 2011-12-06 17:36:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1706.html