On 08/30/2009 03:58 PM, Fernando Magro wrote: > Hi, > > I noticed vsftpd starts running with UID 0 and MLS s0. When a user > logs in, a new process is spawn (forked) from vsftpd and UID is > changed to match the user. The problem is that MLS stays in s0, so if > the user has a different MLS it will make everything fail. Starting > vsftpd with s0-s0:c0.c1023 would be an option, but will then bypass > per-user MLS security. So IMHO vsftpd should be patched to change > security context when forking a new process. > > You can reproduce the problem by running: > # semanage user -m -r s0-s0:c0.c1023 user_u > # groupadd testing > # useradd -m -g testing -Z user_u testing > # semanage login -m -r s0:c3 testing > # chcon -R -l s0:c3 /home/testing > # /etc/init.d/vsftpd start > # lftp > open -u testing,password localhost > ls > > Daniel Walsh said at https://bugzilla.redhat.com/show_bug.cgi?id=518569 : > Lets bring this up for discussion on the SELinux list. > > There are two possibilities, here, One is to just change the level on the > vstfpd process to run at the appropriate level of the user. The second would > be to change the type, in order to run as a type appropriate for the user. IE > With different privs then the vsftpd server. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Fernando, I meant the Developers SELinux list which is selinux@xxxxxxxxxxxxx -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
