When I run my ftpd as a xinetd service, and attempt to log in
(unix-style), I get this from SElinux:
Summary
SELinux is preventing /usr/sbin/pure-ftpd (ftpd_t) "search" to net
(proc_net_t).
Detailed Description
SELinux denied access requested by /usr/sbin/pure-ftpd. It is not
expected that this access is required by /usr/sbin/pure-ftpd and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to restore the default system file context for net, restorecon -v
net If this does not work, there is currently no automatic way to allow
this access. Instead, you can generate a local policy module to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:ftpd_t
Target Context system_u:object_r:proc_net_t
Target Objects net [ dir ]
Affected RPM Packages pure-ftpd-1.0.21-12.fc7 [application]
Policy RPM selinux-policy-2.6.4-8.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name d500.localdomain
Platform Linux d500.localdomain 2.6.21-1.3228.fc7
#1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 12
First Seen Thu 30 Aug 2007 09:26:07 PM EDT
Last Seen Thu 06 Sep 2007 09:30:33 PM EDT
Local ID 8958c16e-27eb-4d3f-ad5c-787c1a960769
Line Numbers
Raw Audit Messages
avc: denied { search } for comm="pure-ftpd" dev=proc egid=0 euid=0
exe="/usr/sbin/pure-ftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net"
pid=19097 scontext=user_u:system_r:ftpd_t:s0 sgid=0
subj=user_u:system_r:ftpd_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0
I tried to allow access; I saw that there is a directory 'net' in proc:
[root@d500 proc]# restorecon -v net
lstat(net) failed: Permission denied
Now what? Did I do this wrong, or do I need to create a 'local policy
module'?
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list