Bug 772205 - RFE: support for proftpd mod_ban
Summary: RFE: support for proftpd mod_ban
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-06 12:46 UTC by Paul Howarth
Modified: 2013-01-08 03:31 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-2.4.6-329.el5
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-08 03:31:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 08:27:19 UTC

Description Paul Howarth 2012-01-06 12:46:32 UTC
Description of problem:

mod_ban in proftpd uses shared memory, which isn't currently permitted in EL-5 policy. Support for this was added in Fedora 11 (http://www.redhat.com/archives/fedora-selinux-list/2009-July/msg00012.html) and the following additional policy is needed for EL-5 support:

allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:tcp_socket lock;

The tcp_socket lock permission isn't needed in Fedora because rw_socket_perms (as used by create_socket_perms, as used by create_stream_socket_perms, allowed in policy) includes "lock" permission but this is not the case for EL-5.

Comment 1 Milos Malik 2012-01-06 13:25:01 UTC
These AVCs appeared when I restarted proftpd in permissive mode. mod_ban was enabled.

----
time->Fri Jan  6 08:17:10 2012
type=SYSCALL msg=audit(1325855830.526:1049): arch=40000003 syscall=117 success=yes exit=6225926 a0=17 a1=4c00800b a2=55010 a3=7b6 items=0 ppid=18661 pid=18662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325855830.526:1049): avc:  denied  { create } for  pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----
time->Fri Jan  6 08:17:10 2012
type=SYSCALL msg=audit(1325855830.527:1050): arch=40000003 syscall=117 success=yes exit=0 a0=15 a1=5f0006 a2=0 a3=bf91fc78 items=0 ppid=18661 pid=18662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325855830.527:1050): avc:  denied  { read write } for  pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
type=AVC msg=audit(1325855830.527:1050): avc:  denied  { unix_read unix_write } for  pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----

Comment 2 Milos Malik 2012-01-06 13:32:00 UTC
Oops, I missed these:

----
time->Fri Jan  6 08:28:45 2012
type=SYSCALL msg=audit(1325856525.696:1060): arch=40000003 syscall=117 success=no exit=-13 a0=17 a1=4c00800b a2=0 a3=0 items=0 ppid=18726 pid=18727 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325856525.696:1060): avc:  denied  { associate } for  pid=18727 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----
time->Fri Jan  6 08:28:44 2012
type=SYSCALL msg=audit(1325856524.717:1059): arch=40000003 syscall=117 success=no exit=-13 a0=18 a1=5f0006 a2=100 a3=0 items=0 ppid=1 pid=18663 auid=0 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=99 fsgid=0 tty=(none) ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325856524.717:1059): avc:  denied  { destroy } for  pid=18663 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----

Comment 3 Daniel Walsh 2012-01-06 15:46:16 UTC
We have allow ftpd_t self:shm create_shm_perms;
 in RHEL6.

Comment 8 Milos Malik 2012-07-16 09:53:01 UTC
Could you modify the policy so that the label of /etc/rc.d/init.d/proftpd file changes from initrc_exec_t to ftpd_initrc_exec_t ?

Comment 9 Miroslav Grepl 2012-07-16 10:23:11 UTC
Yes. Added to -329.el5

Comment 12 errata-xmlrpc 2013-01-08 03:31:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html


Note You need to log in before you can comment on or make changes to this bug.