Bug 976697 - SELinux is preventing /usr/sbin/vsftpd from 'unlink' accesses on the file title.php.
Summary: SELinux is preventing /usr/sbin/vsftpd from 'unlink' accesses on the file tit...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a824a81ea859ecfd208d55f0f95...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-21 08:10 UTC by Vivekanand Saraswati
Modified: 2013-06-22 11:05 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-06-22 11:05:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Vivekanand Saraswati 2013-06-21 08:10:57 UTC
Description of problem:
I want to install theme in word press.
SELinux is preventing /usr/sbin/vsftpd from 'unlink' accesses on the file title.php.

*****  Plugin allow_anon_write (91.4 confidence) suggests  *******************

If you want to allow /usr/sbin/vsftpd to be able to write to shared public content
Then you need to change the label on title.php to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.
Do
# semanage fcontext -a -t public_content_rw_t title.php
# restorecon -R -v title.php
# setsebool -P allow_ftpd_anon_write 1

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that vsftpd should be allowed unlink access on the title.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:public_content_t:s0
Target Objects                title.php [ file ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           vsftpd-3.0.0-2.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-169.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.13-100.fc17.i686.PAE #1 SMP
                              Mon May 13 13:45:03 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-21 13:36:04 IST
Last Seen                     2013-06-21 13:36:04 IST
Local ID                      293c10dd-de73-4d49-8dd6-3d36eca4bc93

Raw Audit Messages
type=AVC msg=audit(1371801964.299:427): avc:  denied  { unlink } for  pid=5567 comm="vsftpd" name="title.php" dev="dm-1" ino=1582023 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=file


type=SYSCALL msg=audit(1371801964.299:427): arch=i386 syscall=unlink success=no exit=EACCES a0=b81a3208 a1=bfdf8398 a2=b774dac8 a3=b774e518 items=0 ppid=5562 pid=5567 auid=4294967295 uid=1001 gid=100 euid=1001 suid=1001 fsuid=1001 egid=100 sgid=100 fsgid=100 ses=4294967295 tty=(none) comm=vsftpd exe=/usr/sbin/vsftpd subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

Hash: vsftpd,ftpd_t,public_content_t,file,unlink

audit2allow

#============= ftpd_t ==============
#!!!! This avc is allowed in the current policy

allow ftpd_t public_content_t:file unlink;

audit2allow -R

#============= ftpd_t ==============
#!!!! This avc is allowed in the current policy

allow ftpd_t public_content_t:file unlink;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.13-100.fc17.i686.PAE
type:           libreport

Comment 1 Daniel Walsh 2013-06-21 13:19:09 UTC
The avc told you what to do, where is title.php located.

Comment 2 Vivekanand Saraswati 2013-06-21 13:54:30 UTC
Hi Daniel,

Thanks for reply.

title.php is extracted by apache when i am installing theme. Apache automatically creating extracting zip files contents. Please suggest me what command should i run in terminal so that it will not create problem.

Comment 3 Daniel Walsh 2013-06-21 21:01:37 UTC
What is the path?

public_content_rw_t  is what it should be labeled.

Take a look at the man ftpd_selinux man page under SHARING FILES

Comment 4 Vivekanand Saraswati 2013-06-22 04:16:05 UTC
Hi Daniel,

Path is /var/www/html/webproffen.no/wp-content/

Apache will extract and install theme in above dir.

Comment 5 Daniel Walsh 2013-06-22 11:05:32 UTC
# semanage fcontext -a -t public_content_rw_t '/var/www/html/webproffen.no/wp-content(/.*)?'
# restorecon -R -v /var/www/html/webproffen.no/wp-content
# setsebool -P httpd_anon_write=1 ftpd_anon_write=1

Should setup the directory so that both apache and ftpd can write to it.


Note You need to log in before you can comment on or make changes to this bug.