Bug 718310 - SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Desconhecida> (ftpd_t).
Summary: SELinux is preventing vsftpd (ftpd_t) "dac_override" to <Desconhecida> (ftpd_t).
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: vsftpd
Version: 5.6
Hardware: athlon
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Jiri Skala
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-01 19:00 UTC by Erick Sanz
Modified: 2014-11-09 22:34 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-11 14:17:47 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Erick Sanz 2011-07-01 19:00:45 UTC
Description of problem:
SELinux denied access requested by vsftpd. It is not expected that this access
is required by vsftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.


Version-Release number of selected component (if applicable):
# vsftpd -v
vsftpd: version 2.0.5


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info: (Copied from Selinux message)

Permitindo Acesso:
Você pode criar um módulo de diretivas local para permitir este acesso - veja
FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Ou você pode
desabilitar totalmente a proteção SELinux. Desabilitar a proteção SELinux
não é recomendável. Por favor submeta um relatório de erro
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) contra este pacote.

Outras informações:
Contexto de Origem            user_u:system_r:ftpd_t
Contexto de Destino           user_u:system_r:ftpd_t
Objeto de Destino             None [ capability ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Desconhecida>
Host                          andromeda2.onlink.com.br
Source RPM Packages           vsftpd-2.0.5-16.el5_6.1
Target RPM Packages
Política RPM                 selinux-policy-2.4.6-300.el5_6.1
SELinux Habilitado            True
Tipo de Política             targeted
MLS Habilitado                True
Modo de Reforço              Enforcing
Nome do Plugin                catchall
Nome da Máquina              andromeda2.onlink.com.br
Plataforma                    Linux andromeda2.onlink.com.br
                              2.6.18-238.12.1.el5xen #1 SMP Tue May 31 14:02:29
                              EDT 2011 x86_64 x86_64
Contador de Alertas           3
Visto Pela Primeira Vez       Fri Jul  1 14:58:29 2011
Visto Pela Última Vez        Fri Jul  1 15:08:37 2011
ID Local                      9406d020-62d2-42e1-82dd-a5e3ea7b393c
Números de Linhas

Messages NOT processed of

host=andromeda2.onlink.com.br type=AVC msg=audit(1309543717.919:1068): avc:  denied  { dac_override } for  pid=7345 comm="vsftpd" capability=1 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:system_r:ftpd_t:s0 tclass=capability

host=andromeda2.onlink.com.br type=AVC msg=audit(1309543717.919:1068): avc:  denied  { dac_read_search } for  pid=7345 comm="vsftpd" capability=2 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:system_r:ftpd_t:s0 tclass=capability

host=andromeda2.onlink.com.br type=SYSCALL msg=audit(1309543717.919:1068): arch=c000003e syscall=161 success=no exit=-13 a0=2b31184e204a a1=0 a2=0 a3=0 items=0 ppid=7341 pid=7345 auid=500 uid=0 gid=0 euid=0 suid=500 fsuid=0 egid=0 sgid=500 fsgid=0 tty=(none) ses=132 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=user_u:system_r:ftpd_t:s0 key=(null)

Comment 1 Jiri Skala 2011-07-12 12:17:14 UTC
Hi,
if you use following option

local_enable=YES

try to set selinux boolean:

# setsebool ftp_home_dir on

eventually try full access:

# setsebool allow_ftpd_full_access on

and let me know about result.

Best regards Jiri

Comment 2 Jiri Skala 2011-07-15 07:22:34 UTC
any findings to comment #1

Comment 3 Jiri Skala 2011-08-11 14:17:47 UTC
There are no additional information. So I'm going to close this bug.

If the difficulties persist don't hesitate to reopen the bug with the additional information e. g. asked in comment #1.


Note You need to log in before you can comment on or make changes to this bug.