Red Hat Bugzilla – Bug 926022
SELinux prevents vsftpd (ftpd_t) access to glusterfs-fuse mount ('fusefs_t') provided by Red Hat Storage (RHS) server
Last modified: 2013-11-21 05:21:28 EST
Description of problem: If glusterfs-fuse mount is used for the ftp data directory, the vsftpd process is prevented from accessing the content by SELinux. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-195.el6_4.3.noarch selinux-policy-3.7.19-195.el6_4.3.noarch How reproducible: Steps to Reproduce: 1.set up an Red Hat Storage (RHS) server to provide a glusterfs volume, with the data to be provided by the ftp server 2.mount the glusterfs volume on a RHEL 6 system, using glusterfs-fuse mount, under '/var/ftp/' and start vsftpd service 3. The data provided through the glusterfs volume is not accessible over ftp --------------------------------------------------------------- [root@appserver01 ~]# df -TH /var/ftp/RHS/ Filesystem Type Size Used Avail Use% Mounted on RHSvm01:/AppStore fuse.glusterfs 387G 813M 386G 1% /var/ftp/RHS [root@appserver01 ~]# ls -dZ /var/ftp/ drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/ [root@appserver01 ~]# ls -dZ /var/ftp/RHS/ drwxr-xr-x. root root system_u:object_r:fusefs_t:s0 /var/ftp/RHS/ [root@appserver01 ~]# ls -dZ /var/ftp/RHS/text/ drwxr-xr-x. root root system_u:object_r:fusefs_t:s0 /var/ftp/RHS/text/ [root@appserver01 ~]# ls -dZ /var/ftp/RHS/text/README -rw-r--r--. root root system_u:object_r:fusefs_t:s0 /var/ftp/RHS/text/README ============== type=AVC msg=audit(1363985072.884:45108): avc: denied { read } for pid=5859 comm="vsftpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir type=SYSCALL msg=audit(1363985072.884:45108): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d28e0 a1=90800 a2=7f4e963d28c0 a3=2 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1363985078.364:45109): avc: denied { read } for pid=5859 comm="vsftpd" name="text" dev=fuse ino=11094933297973025225 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir type=SYSCALL msg=audit(1363985078.364:45109): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d28e0 a1=90800 a2=7f4e963d28c0 a3=2 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1363985083.126:45110): avc: denied { read } for pid=5859 comm="vsftpd" name="README" dev=fuse ino=11388689439636774762 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file type=SYSCALL msg=audit(1363985083.126:45110): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d2db0 a1=800 a2=7f4e963d2820 a3=11 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) --------------------------------------------------------------- It is interesting to note that SELinux does not prevent ftpd from entering the directories on the glusterfs volume, but all other access is prevented. Additional Points: 1) If the 'allow_ftpd_full_access' SELinux boolean is turned on, the access to the glusterfs data is allowed. 2) If the glusterfs volume is mounted over nfs, and the 'allow_ftpd_use_nfs' SELinux boolean is turned on, the access to the glusterfs data is allowed. I believe that a new SELinux boolean 'allow_ftpd_use_fusefs', with the required allow rules, is desirable, to have this access allowed. Actual results: vsftpd (ftpd_t) cannot access content stored in a gluster volume, mounted using gluster-fuse (fusefs_t) mount method. Expected results: vsftpd (ftpd_t) should be able to access content stored in a gluster volume, mounted using gluster-fuse (fusefs_t) mount method. Additional info:
I added fixes to Fedora. Will back port.
ftpd_use_fusefs boolean has been added.
Ok, ftpd_use_fusefs updated.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html