Bug 961958 - SELinux is preventing vsftpd from 'read' accesses on the directory ftp.
Summary: SELinux is preventing vsftpd from 'read' accesses on the directory ftp.
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1b4b61f54ee2e10aabfdf9b7cf6...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-10 20:21 UTC by Emmanuel Arias
Modified: 2013-05-13 07:53 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-05-13 07:53:37 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Emmanuel Arias 2013-05-10 20:21:21 UTC 
Description of problem:
SELinux is preventing vsftpd from 'read' accesses on the directory ftp.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that vsftpd should be allowed read access on the ftp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:home_root_t:s0
Target Objects                ftp [ dir ]
Source                        vsftpd
Source Path                   vsftpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-167.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.4-102.fc17.x86_64 #1 SMP Sun
                              Mar 24 13:09:09 UTC 2013 x86_64 x86_64
Alert Count                   61
First Seen                    2013-05-10 17:07:10 ART
Last Seen                     2013-05-10 17:14:13 ART
Local ID                      89d92875-921a-4f0f-b3ea-af361ba4223a

Raw Audit Messages
type=AVC msg=audit(1368216853.223:841): avc:  denied  { read } for  pid=31355 comm="vsftpd" name="ftp" dev="dm-2" ino=8388609 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir


Hash: vsftpd,ftpd_t,home_root_t,dir,read

audit2allow

#============= ftpd_t ==============
#!!!! This avc is allowed in the current policy

allow ftpd_t home_root_t:dir read;

audit2allow -R

#============= ftpd_t ==============
#!!!! This avc is allowed in the current policy

allow ftpd_t home_root_t:dir read;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.4-102.fc17.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-05-11 10:29:47 UTC 
Why do you have a ftp directory labeled as home_root_t?

ls -lZd /var/ftp
Comment 2 Emmanuel Arias 2013-05-13 06:05:16 UTC 
[root@linuxbox /]# ls -lZd /var/ftp
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp


Finally i've got it to work, but the real problem here is that ftp clients (firefox, for example) doesn't recognize .iso files as files, and they are giving errors about not being able to open the directory (?) 

You can safely close this not-a-bug, it was some misconfiguration or misplaced permissions in conflict with selinux.
Note You need to log in before you can comment on or make changes to this bug.