Re: F11 VSFTPD post install problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Oct 03, 2010 at 09:17:58PM +0100, Aaron Gray wrote:
> On 3 October 2010 21:03, Dominick Grift <domg472@xxxxxxxxx> wrote:
> 
> > On Sun, Oct 03, 2010 at 08:48:59PM +0100, Aaron Gray wrote:
> > > Hi,
> > >
> > > I had a fresh F11 server install, but with out VSFTPD, then I installed
> > > VSFTPD, but it is blocked by SELinux.
> > >
> > > I turn off enforcement and FTP runs fine.
> > >
> > > Is there some script or proceedure I can run to allow VSFTPD on F11 or do
> > I
> > > have to do a reinstall of Fedora ?
> > >
> > > Many thanks in advance,
> >
> > Can you enclose the AVC denials that you are seeying. With those you should
> > be able to fix any issues. AVC denials are (usually) logged to
> > /var/log/audit/audit.log and can easily be listed with ausearch command.
> >
> >
> First initial syscall :-
> 
> time->Sun Oct  3 21:12:24 2010
> type=SYSCALL msg=audit(1286136744.107:21351): arch=40000003 syscall=120
> success=no exit=-1 a0=28000011 a1=0 a2=6f4334 a3=6f4334 items=0 ppid=1
> pid=1903 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=5 comm="vsftpd" exe="/usr/sbin/vsftpd"
> subj=unconfined_u:system_r:ftpd_t:s0 key=(null)
> type=AVC msg=audit(1286136744.107:21351): avc:  denied  { sys_admin } for
>  pid=1903 comm="vsftpd" capability=21
> scontext=unconfined_u:system_r:ftpd_t:s0
> tcontext=unconfined_u:system_r:ftpd_t:s0 tclass=capability
> 
> 
> 
> > For example to list AVC denials that occured today: ausearch -m avc -ts
> > today.
> >
> >
> Yes but there will be a complex of activity after this and I would really
> like a proper instillation script to do the job rather than doing it
> piecemeal.
> 

I am not sure if i understand what you mean, but in my view this cannot be properly scriptable because the responsible person must make security decisions.

You cannot rely on a program to make the proper security decisions.


> 
> 
> > By the way, it is strongly encourage that you start planning for an
> > operating system upgrade as Fedora 11 will reach end of life soon (if it is
> > not EOL already). This means that you wont receive any security updates for
> > the unsupported operating system anymore.
> >
> >
> Yes I realize this but installing F13 had too many bugs on my old servers,
> so I went back to F11 for a while till F14 is out.
> 
> Thanks,
> 
> Aaron

Attachment: pgpZtSySd4Sna.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux