Re: ftpd and PAM

[Paul Howarth <paul@xxxxxxxxxxxx>]

Daniel J Walsh wrote:
> Paul Howarth wrote:
> > Paul Howarth wrote:
> > > The PAM config files for vsftpd and prpftpd look like this:
> > >
> > > #%PAM-1.0
> > > session    optional     pam_keyinit.so    force revoke
> > > auth       required     pam_listfile.so item=user sense=deny 
> > > file=/etc/vsftpd/ftpusers onerr=succeed
> > > auth       required     pam_shells.so
> > > auth       include      system-auth
> > > account    include      system-auth
> > > session    include      system-auth
> > > session    required     pam_loginuid.so
> > >
> > > So it makes sense for ftpd_t to be able to set the login uid and 
> > > create a session keyring:
> > >
> > > logging_set_loginuid(ftpd_t)
> > > allow ftpd_t self:key { write search link };
> > >
> > >
> > > Curiously, I've done this locally but still get this AVC when logging 
> > > in on proftpd, with an open dovecot IMAP session on the same server:
> > >
> > > type=AVC msg=audit(1182853960.377:103383): avc:  denied  { link } for 
> > > pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 
> > > tcontext=root:system_r:dovecot_t:s0 tclass=key
> >
> > FWIW, I'm also getting in /var/log/secure:
> >
> > Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() 
> > failed: Operation not permitted
> > Jun 26 12:09:42 goalkeeper proftpd[25559]: 
> > goalkeeper.intra.city-fan.org 
> > (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
> > Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session 
> > closed for user paul
> > Jun 26 12:09:42 goalkeeper proftpd[25559]: 
> > goalkeeper.intra.city-fan.org 
> > (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): 
> > System error
> > Jun 26 12:09:42 goalkeeper proftpd[25559]: 
> > goalkeeper.intra.city-fan.org 
> > (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
> >
> > I don't see any AVCs to go with these, and adding:
> >
> > logging_send_audit_msg(ftpd_t)
> >
> > doesn't seem to help.
> >
> > Paul.
> This could be caused by proftp not running as root and not having the 
> auth_write capability.  So a DAC error could be causing this problem.

Proftpd runs as nobody out of the box; what would I need to change to 
fix this? Which object's DAC permissions are the problem?

> type=AVC msg=audit(1182853960.377:103383): avc:  denied  { link } for 
> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 
> tcontext=root:system_r:dovecot_t:s0 tclass=key
>
> I have no idea what this even means.  :^) One of these days I need to 
> investigate the kernel keyring.

It doesn't seem to cause any problem, but I would like to know what it 
is if you ever figure it out.

Cheers, Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list