-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 10:36 AM, Benjamin Franz wrote: > On 12/06/2010 06:47 AM, Daniel J Walsh wrote: >> >> I agree, and would like to look at the AVC's to understand what could >> have broken the labeling > > Well - since it happened again this morning, here you go. On further > investigation in backups, I previously had the user account that I use > for the FTP based update with its home directory set to a location > inside the /var/www/html tree. Since that unknowingly passed this rule, > it silently worked. It was changed to a /home/ based directory instead a > while ago - tripping this rule. But not consistently: FTP appears to at > least partially work outside the home tree even with the rule active. > > I *really* dislike landmines when doing routine system tasks. > > > > Dec 7 07:14:19 10.96.1.9 setroubleshoot: SELinux is preventing the ftp > daemon from writing files outside the home directory (./upgrade). For > complete SELinux messages. run sealert -l > e7787694-644e-4e4e-9b45-bd86c7eb33ce > > > sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce > > Summary: > > SELinux is preventing the ftp daemon from writing files outside the home > directory (./upgrade). > > Detailed Description: > > SELinux has denied the ftp daemon write access to directories outside > the home > directory (./upgrade). Someone has logged in via your ftp daemon and is > trying > to create or write a file. If you only setup ftp to allow anonymous ftp, > this > could signal a intrusion attempt. > > Allowing Access: > > If you do not want SELinux preventing ftp from writing files anywhere on the > system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P > allow_ftpd_full_access=1" > > The following command will allow this access: > > setsebool -P allow_ftpd_full_access=1 > > Additional Information: > > Source Context system_u:system_r:ftpd_t > Target Context system_u:object_r:httpd_sys_content_t > Target Objects ./upgrade [ dir ] > Source vsftpd > Source Path /usr/sbin/vsftpd > Port <Unknown> > Host XXXXXXXXXXXXXX > Source RPM Packages vsftpd-2.1.0-2 > Target RPM Packages > Policy RPM selinux-policy-2.4.6-279.el5_5.2 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_ftpd_full_access > Host Name XXXXXXXXXXXXX > Platform Linux XXXXXXXXXXXX 2.6.18-194.26.1.el5 #1 SMP > Tue Nov 9 12:54:40 EST 2010 i686 i686 > Alert Count 17 > First Seen Thu Dec 2 12:10:14 2010 > Last Seen Tue Dec 7 07:14:19 2010 > Local ID e7787694-644e-4e4e-9b45-bd86c7eb33ce > Line Numbers > > Raw Audit Messages > > host=XXXXXXXXXXXXXXXXXXXX type=AVC msg=audit(1291734859.344:6678): avc: > denied { write } for pid=1018 comm="vsftpd" name="upgrade" dev=dm-5 > ino=1926503 scontext=system_u:system_r:ftpd_t:s0 > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir > > host=XXXXXXXXXXXXXXXXXXXX type=SYSCALL msg=audit(1291734859.344:6678): > arch=40000003 syscall=39 success=no exit=-13 a0=8e340d0 a1=1ff a2=802330 > a3=1 items=0 ppid=1014 pid=1018 auid=502 uid=502 gid=100 euid=502 > suid=502 fsuid=502 egid=100 sgid=100 fsgid=100 tty=(none) ses=1017 > comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0 > key=(null) > > Where is the directory upgrade located. SELinux is complaining about the ftp site writing to a directory labeled as apache content (httpd_sys_content_t. The way we usually handle shared data between "sharing domains" is to label the content public_content_rw_t. The following man pages explain these labels. man ftpd_selinux man httpd_selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+VdAACgkQrlYvE4MpobMQiACeI5mbC5rOqwxphNavqoomcOMn fgEAniywRXmiDrnje2nC2vdrv+DGU56f =qJ03 -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos