Bug 926022 - SELinux prevents vsftpd (ftpd_t) access to glusterfs-fuse mount ('fusefs_t') provided by Red Hat Storage (RHS) server
Summary: SELinux prevents vsftpd (ftpd_t) access to glusterfs-fuse mount ('fusefs_t') ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1004656
TreeView+ depends on / blocked
 
Reported: 2013-03-23 10:07 UTC by Rejy M Cyriac
Modified: 2013-11-21 10:21 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-219.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1004656 (view as bug list)
Environment:
Last Closed: 2013-11-21 10:21:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Rejy M Cyriac 2013-03-23 10:07:47 UTC
Description of problem:


If glusterfs-fuse mount is used for the ftp data directory, the vsftpd process is prevented from accessing the content by SELinux.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.7.19-195.el6_4.3.noarch
selinux-policy-3.7.19-195.el6_4.3.noarch

How reproducible:


Steps to Reproduce:
1.set up an Red Hat Storage (RHS) server to provide a glusterfs volume, with the data to be provided by the ftp server

2.mount the glusterfs volume on a RHEL 6 system, using glusterfs-fuse mount, under '/var/ftp/' and start vsftpd service

3. The data provided through the glusterfs volume is not accessible over ftp

---------------------------------------------------------------

[root@appserver01 ~]# df -TH /var/ftp/RHS/
Filesystem    Type     Size   Used  Avail Use% Mounted on
RHSvm01:/AppStore
    fuse.glusterfs     387G   813M   386G   1% /var/ftp/RHS

[root@appserver01 ~]# ls -dZ /var/ftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/

[root@appserver01 ~]# ls -dZ /var/ftp/RHS/
drwxr-xr-x. root root system_u:object_r:fusefs_t:s0    /var/ftp/RHS/

[root@appserver01 ~]# ls -dZ /var/ftp/RHS/text/
drwxr-xr-x. root root system_u:object_r:fusefs_t:s0    /var/ftp/RHS/text/

[root@appserver01 ~]# ls -dZ /var/ftp/RHS/text/README 
-rw-r--r--. root root system_u:object_r:fusefs_t:s0    /var/ftp/RHS/text/README

==============

type=AVC msg=audit(1363985072.884:45108): avc:  denied  { read } for  pid=5859 comm="vsftpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=SYSCALL msg=audit(1363985072.884:45108): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d28e0 a1=90800 a2=7f4e963d28c0 a3=2 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1363985078.364:45109): avc:  denied  { read } for  pid=5859 comm="vsftpd" name="text" dev=fuse ino=11094933297973025225 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=SYSCALL msg=audit(1363985078.364:45109): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d28e0 a1=90800 a2=7f4e963d28c0 a3=2 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1363985083.126:45110): avc:  denied  { read } for  pid=5859 comm="vsftpd" name="README" dev=fuse ino=11388689439636774762 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
type=SYSCALL msg=audit(1363985083.126:45110): arch=c000003e syscall=2 success=no exit=-13 a0=7f4e963d2db0 a1=800 a2=7f4e963d2820 a3=11 items=0 ppid=5857 pid=5859 auid=0 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)


---------------------------------------------------------------

It is interesting to note that SELinux does not prevent ftpd from entering the directories on the glusterfs volume, but all other access is prevented.

Additional Points:

1) If the 'allow_ftpd_full_access' SELinux boolean is turned on, the access to the glusterfs data is allowed.

2) If the glusterfs volume is mounted over nfs, and the 'allow_ftpd_use_nfs' SELinux boolean is turned on, the access to the glusterfs data is allowed.

I believe that a new SELinux boolean 'allow_ftpd_use_fusefs', with the required allow rules, is desirable, to have this access allowed.
  
Actual results:

vsftpd (ftpd_t) cannot access content stored in a gluster volume, mounted using gluster-fuse (fusefs_t) mount method.

Expected results:

vsftpd (ftpd_t) should be able to access content stored in a gluster volume, mounted using gluster-fuse (fusefs_t) mount method.

Additional info:

Comment 1 Miroslav Grepl 2013-03-25 10:48:15 UTC
I added fixes to Fedora. Will back port.

Comment 6 Miroslav Grepl 2013-08-06 10:52:34 UTC
ftpd_use_fusefs boolean has been added.

Comment 9 Miroslav Grepl 2013-10-02 09:48:19 UTC
Ok, ftpd_use_fusefs updated.

Comment 13 errata-xmlrpc 2013-11-21 10:21:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.