Hi guys,
Frederico Madeira
fred@xxxxxxxxxxxxxx
www.madeira.eng.br
Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120
GPG-Key-ID: 1024D/0F0A721D
Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@xxxxxxxxxxx
GTalk:fmadeira@xxxxxxxxx
SKYPE: fred_madeira
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t. Why users can download passwd file if subject and object belongs to different domains ?
[root@seg_linux-2 /]# ls -Z /etc/passwd
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp
unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
Frederico Madeira
fred@xxxxxxxxxxxxxx
www.madeira.eng.br
Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120
GPG-Key-ID: 1024D/0F0A721D
Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@xxxxxxxxxxx
GTalk:fmadeira@xxxxxxxxx
SKYPE: fred_madeira
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux