On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred@xxxxxxxxxxxxxx> wrote: > Hi guys, > > I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686 > > I've set boolean to allow users to connect to their home dir > > [root@seg_linux-2 /]# getsebool -a | grep ftp > allow_ftpd_anon_write --> off > allow_ftpd_full_access --> off > allow_ftpd_use_cifs --> off > allow_ftpd_use_nfs --> off > ftp_home_dir --> on > ftpd_connect_db --> off > ftpd_use_fusefs --> off > ftpd_use_passive_mode --> off > httpd_enable_ftp_server --> off > tftp_anon_write --> off > tftp_use_cifs --> off > tftp_use_nfs --> off > > My problem is that when a user connect to my server, he is able to change dir to /etc and get passwd file. > > The domain of passwd file is etc_t and domain for vsftpd process is ftp_t. Why users can download passwd file if subject and object belongs to different domains ? sesearch -A -s ftpd_t -t etc_t -p read will show you the allow rules that permit the read. There are quite a few. Can you chroot the users to their home directory? joe > > [root@seg_linux-2 /]# ls -Z /etc/passwd > -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd > > [root@seg_linux-2 /]# ps -eZ | grep vsftp > unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd > > > Frederico Madeira > fred@xxxxxxxxxxxxxx > www.madeira.eng.br > Cisco CCNA, LPIC-1, LPIC-2 > > Registered GNU/Linux nº 206120 > GPG-Key-ID: 1024D/0F0A721D > Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D > > MSN: fttmadeira@xxxxxxxxxxx > GTalk:fmadeira@xxxxxxxxx > SKYPE: fred_madeira > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
