Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Sorry for the fat finger on my side. Here is the report: Description of problem: some EPSV commands in proftpd fails, with the following AVC logged: type=AVC msg=audit(1322255771.231:29746): avc: denied { name_bind } for pid=12179 comm="proftpd" src=29760 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket The following rule fixes this: allow ftpd_t unreserved_port_t:tcp_socket name_bind; Version-Release number of selected component (if applicable): proftpd-1.3.4-1.fc16.x86_64 selinux-policy-3.10.0-56.fc16.noarch selinux-policy-targeted-3.10.0-56.fc16.noarch How reproducible: 100 % Steps to Reproduce: 1. install proftpd and configure it on an IPv6-reachable host 2. connect as anonymous from the remote host, make sure the client uses passive mode, enable debugging 3. list a directory several times Actual results: EPSV <number> command fails, the above mentioned AVC is logged. Expected results: Passive mode should work for all unused source ports. Additional info: Proftpd docs suggest that at least port range 49152-65534 should be made available for passive connections: http://www.proftpd.org/docs/directives/linked/config_ref_PassivePorts.html
And it is, but this tried to bind to port 29760
Oops this is fixed in selinux-policy 3.10.0-57 yum -y update selinux-policy
3.10.0-57 is still not available via yum (updates.repo). I have downloaded selinux-policy-3.10.0-62.fc16.noarch (and -targeted) from Koji, and it indeed fixes the problem for me. Thanks!