Description of problem: mod_ban in proftpd uses shared memory, which isn't currently permitted in EL-5 policy. Support for this was added in Fedora 11 (http://www.redhat.com/archives/fedora-selinux-list/2009-July/msg00012.html) and the following additional policy is needed for EL-5 support: allow ftpd_t self:shm create_shm_perms; allow ftpd_t self:tcp_socket lock; The tcp_socket lock permission isn't needed in Fedora because rw_socket_perms (as used by create_socket_perms, as used by create_stream_socket_perms, allowed in policy) includes "lock" permission but this is not the case for EL-5.
These AVCs appeared when I restarted proftpd in permissive mode. mod_ban was enabled. ---- time->Fri Jan 6 08:17:10 2012 type=SYSCALL msg=audit(1325855830.526:1049): arch=40000003 syscall=117 success=yes exit=6225926 a0=17 a1=4c00800b a2=55010 a3=7b6 items=0 ppid=18661 pid=18662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null) type=AVC msg=audit(1325855830.526:1049): avc: denied { create } for pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm ---- time->Fri Jan 6 08:17:10 2012 type=SYSCALL msg=audit(1325855830.527:1050): arch=40000003 syscall=117 success=yes exit=0 a0=15 a1=5f0006 a2=0 a3=bf91fc78 items=0 ppid=18661 pid=18662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null) type=AVC msg=audit(1325855830.527:1050): avc: denied { read write } for pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm type=AVC msg=audit(1325855830.527:1050): avc: denied { unix_read unix_write } for pid=18662 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm ----
Oops, I missed these: ---- time->Fri Jan 6 08:28:45 2012 type=SYSCALL msg=audit(1325856525.696:1060): arch=40000003 syscall=117 success=no exit=-13 a0=17 a1=4c00800b a2=0 a3=0 items=0 ppid=18726 pid=18727 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null) type=AVC msg=audit(1325856525.696:1060): avc: denied { associate } for pid=18727 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm ---- time->Fri Jan 6 08:28:44 2012 type=SYSCALL msg=audit(1325856524.717:1059): arch=40000003 syscall=117 success=no exit=-13 a0=18 a1=5f0006 a2=100 a3=0 items=0 ppid=1 pid=18663 auid=0 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=99 fsgid=0 tty=(none) ses=34 comm="proftpd" exe="/usr/sbin/proftpd" subj=root:system_r:ftpd_t:s0 key=(null) type=AVC msg=audit(1325856524.717:1059): avc: denied { destroy } for pid=18663 comm="proftpd" key=1275101195 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=shm ----
We have allow ftpd_t self:shm create_shm_perms; in RHEL6.
Could you modify the policy so that the label of /etc/rc.d/init.d/proftpd file changes from initrc_exec_t to ftpd_initrc_exec_t ?
Yes. Added to -329.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html