Bug 976697 - SELinux is preventing /usr/sbin/vsftpd from 'unlink' accesses on the file title.php.
SELinux is preventing /usr/sbin/vsftpd from 'unlink' accesses on the file tit...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-06-21 04:10 EDT by Vivekanand Saraswati
Modified: 2013-06-22 07:05 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-22 07:05:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vivekanand Saraswati 2013-06-21 04:10:57 EDT
Description of problem:
I want to install theme in word press.
SELinux is preventing /usr/sbin/vsftpd from 'unlink' accesses on the file title.php.

*****  Plugin allow_anon_write (91.4 confidence) suggests  *******************

If you want to allow /usr/sbin/vsftpd to be able to write to shared public content
Then you need to change the label on title.php to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.
# semanage fcontext -a -t public_content_rw_t title.php
# restorecon -R -v title.php
# setsebool -P allow_ftpd_anon_write 1

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that vsftpd should be allowed unlink access on the title.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:public_content_t:s0
Target Objects                title.php [ file ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           vsftpd-3.0.0-2.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-169.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.13-100.fc17.i686.PAE #1 SMP
                              Mon May 13 13:45:03 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-21 13:36:04 IST
Last Seen                     2013-06-21 13:36:04 IST
Local ID                      293c10dd-de73-4d49-8dd6-3d36eca4bc93

Raw Audit Messages
type=AVC msg=audit(1371801964.299:427): avc:  denied  { unlink } for  pid=5567 comm="vsftpd" name="title.php" dev="dm-1" ino=1582023 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=file

type=SYSCALL msg=audit(1371801964.299:427): arch=i386 syscall=unlink success=no exit=EACCES a0=b81a3208 a1=bfdf8398 a2=b774dac8 a3=b774e518 items=0 ppid=5562 pid=5567 auid=4294967295 uid=1001 gid=100 euid=1001 suid=1001 fsuid=1001 egid=100 sgid=100 fsgid=100 ses=4294967295 tty=(none) comm=vsftpd exe=/usr/sbin/vsftpd subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

Hash: vsftpd,ftpd_t,public_content_t,file,unlink


#============= ftpd_t ==============
#!!!! This avc is allowed in the current policy

allow ftpd_t public_content_t:file unlink;

audit2allow -R

#============= ftpd_t ==============
#!!!! This avc is allowed in the current policy

allow ftpd_t public_content_t:file unlink;

Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.13-100.fc17.i686.PAE
type:           libreport
Comment 1 Daniel Walsh 2013-06-21 09:19:09 EDT
The avc told you what to do, where is title.php located.
Comment 2 Vivekanand Saraswati 2013-06-21 09:54:30 EDT
Hi Daniel,

Thanks for reply.

title.php is extracted by apache when i am installing theme. Apache automatically creating extracting zip files contents. Please suggest me what command should i run in terminal so that it will not create problem.
Comment 3 Daniel Walsh 2013-06-21 17:01:37 EDT
What is the path?

public_content_rw_t  is what it should be labeled.

Take a look at the man ftpd_selinux man page under SHARING FILES
Comment 4 Vivekanand Saraswati 2013-06-22 00:16:05 EDT
Hi Daniel,

Path is /var/www/html/webproffen.no/wp-content/

Apache will extract and install theme in above dir.
Comment 5 Daniel Walsh 2013-06-22 07:05:32 EDT
# semanage fcontext -a -t public_content_rw_t '/var/www/html/webproffen.no/wp-content(/.*)?'
# restorecon -R -v /var/www/html/webproffen.no/wp-content
# setsebool -P httpd_anon_write=1 ftpd_anon_write=1

Should setup the directory so that both apache and ftpd can write to it.

Note You need to log in before you can comment on or make changes to this bug.