RE: Allowing vsftpd access for user's home directory

Ketut Mahaindra <kmahaindra@xxxxxxxxxx> · Thu, 11 May 2006 14:05:47 +0800

Hello,

Yes, I have tried to do the following as recommended by man ftpd_selinux
# setsebool -P ftp_home_dir 1
# setsebool -P ftpd_is_daemon 1

But I still get the same AVC error messages each time an FTP client attempt
to connect.

Here is what the audit.log give me:

type=USER_AUTH msg=audit(1147327523.025:325): user pid=3608 uid=0 auid=500
msg='PAM: authentication acct=kmahaindra : exe="/usr/sbin/vsftpd"
(hostname=172.27.77.156, addr=172.27.77.156, terminal=? res=success)'
type=USER_ACCT msg=audit(1147327523.025:326): user pid=3608 uid=0 auid=500
msg='PAM: accounting acct=kmahaindra : exe="/usr/sbin/vsftpd"
(hostname=172.27.77.156, addr=172.27.77.156, terminal=? res=success)'
type=CRED_ACQ msg=audit(1147327523.029:327): user pid=3608 uid=0 auid=500
msg='PAM: setcred acct=kmahaindra : exe="/usr/sbin/vsftpd"
(hostname=172.27.77.156, addr=172.27.77.156, terminal=? res=success)'
type=AVC msg=audit(1147327523.029:328): avc:  denied  { dac_override } for
pid=3612 comm="vsftpd" capability=1 scontext=user_u:system_r:ftpd_t:s0
tcontext=user_u:system_r:ftpd_t:s0 tclass=capability
type=AVC msg=audit(1147327523.029:328): avc:  denied  { dac_read_search }
for  pid=3612 comm="vsftpd" capability=2 scontext=user_u:system_r:ftpd_t:s0
tcontext=user_u:system_r:ftpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1147327523.029:328): arch=40000003 syscall=61
success=no exit=-13 a0=66c6f6 a1=0 a2=6732dc a3=1 items=1 pid=3612 auid=500
uid=0 gid=0 euid=0 suid=500 fsuid=0 egid=0 sgid=500 fsgid=0 comm="vsftpd"
exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1147327523.029:328):  cwd="/home/kmahaindra"
type=PATH msg=audit(1147327523.029:328): item=0 name="." flags=3

Any other clues?
Or perhaps I was missing something / some steps?

-- 
Best regards,

Ketut Mahaindra (Ito)
"The race for perfection has no finish line"

-----Original Message-----
From: Paul Howarth [mailto:paul@xxxxxxxxxxxx] 
Sent: Thursday, May 11, 2006 1:52 PM
To: Ketut Mahaindra
Cc: fedora-selinux-list@xxxxxxxxxx
Subject: Re: Allowing vsftpd access for user's home directory

On Thu, 2006-05-11 at 13:17 +0800, Ketut Mahaindra wrote:
> Hello all,
> 
> I have installation of FC5.
> I want to make vsftpd run with chroot environment of user home directory.
> So far it does not work because SELinux prevents the vsftpd to access the
> home directory.
> 
> What's the best way to configure SELinux for this purpose?
> I don't want to disable it.
> I have been googling it around but so far has not came up with any easy
> solution.
> 
> Any help will be appreciated.
> 
> P.S.
> - I have the following AVC error messages:
>   avc:  denied  { dac_override } for  pid=9099 comm="vsftpd" capability=1
> scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> tclass=capability
>   avc:  denied  { dac_read_search } for  pid=9099 comm="vsftpd"
capability=2
> scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> tclass=capability  

Have you set the ftp_home_dir boolean as suggested in "man
ftpd_selinux"?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list