Bug 772205 - RFE: support for proftpd mod_ban
RFE: support for proftpd mod_ban
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.8
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-06 07:46 EST by Paul Howarth
Modified: 2013-01-07 22:31 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-329.el5
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 22:31:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Paul Howarth 2012-01-06 07:46:32 EST
Description of problem:

mod_ban in proftpd uses shared memory, which isn't currently permitted in EL-5 policy. Support for this was added in Fedora 11 (http://www.redhat.com/archives/fedora-selinux-list/2009-July/msg00012.html) and the following additional policy is needed for EL-5 support:

allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:tcp_socket lock;

The tcp_socket lock permission isn't needed in Fedora because rw_socket_perms (as used by create_socket_perms, as used by create_stream_socket_perms, allowed in policy) includes "lock" permission but this is not the case for EL-5.
Comment 1 Milos Malik 2012-01-06 08:25:01 EST
These AVCs appeared when I restarted proftpd in permissive mode. mod_ban was enabled.

----
time->Fri Jan  6 08:17:10 2012
type=SYSCALL msg=audit(1325855830.526:1049): arch=40000003 syscall=117 success=yes exit=6225926 a0=17 a1=4c00800b a2=55010 a3=7b6 items=0 ppid=18661 pid=18662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325855830.526:1049): avc:  denied  { create } for  pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----
time->Fri Jan  6 08:17:10 2012
type=SYSCALL msg=audit(1325855830.527:1050): arch=40000003 syscall=117 success=yes exit=0 a0=15 a1=5f0006 a2=0 a3=bf91fc78 items=0 ppid=18661 pid=18662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325855830.527:1050): avc:  denied  { read write } for  pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
type=AVC msg=audit(1325855830.527:1050): avc:  denied  { unix_read unix_write } for  pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----
Comment 2 Milos Malik 2012-01-06 08:32:00 EST
Oops, I missed these:

----
time->Fri Jan  6 08:28:45 2012
type=SYSCALL msg=audit(1325856525.696:1060): arch=40000003 syscall=117 success=no exit=-13 a0=17 a1=4c00800b a2=0 a3=0 items=0 ppid=18726 pid=18727 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325856525.696:1060): avc:  denied  { associate } for  pid=18727 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----
time->Fri Jan  6 08:28:44 2012
type=SYSCALL msg=audit(1325856524.717:1059): arch=40000003 syscall=117 success=no exit=-13 a0=18 a1=5f0006 a2=100 a3=0 items=0 ppid=1 pid=18663 auid=0 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=99 fsgid=0 tty=(none) ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1325856524.717:1059): avc:  denied  { destroy } for  pid=18663 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm
----
Comment 3 Daniel Walsh 2012-01-06 10:46:16 EST
We have allow ftpd_t self:shm create_shm_perms;
 in RHEL6.
Comment 8 Milos Malik 2012-07-16 05:53:01 EDT
Could you modify the policy so that the label of /etc/rc.d/init.d/proftpd file changes from initrc_exec_t to ftpd_initrc_exec_t ?
Comment 9 Miroslav Grepl 2012-07-16 06:23:11 EDT
Yes. Added to -329.el5
Comment 12 errata-xmlrpc 2013-01-07 22:31:23 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.