The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create
a session keyring:
logging_set_loginuid(ftpd_t)
allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in
on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for
pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=key
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
