Re: ftpd and PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Paul Howarth wrote:

Paul Howarth wrote:

The PAM config files for vsftpd and prpftpd look like this:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed 
auth       required     pam_shells.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring: 

logging_set_loginuid(ftpd_t)
allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key 

FWIW, I'm also getting in /var/log/secure:
Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. 

I don't see any AVCs to go with these, and adding:

logging_send_audit_msg(ftpd_t)

doesn't seem to help.

Paul.
This could be caused by proftp not running as root and not having the auth_write capability. So a DAC error could be causing this problem.
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
I have no idea what this even means. :^) One of these days I need to investigate the kernel keyring. 
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux