SElinux stricts vsftpd

Rodnower · 08-24-2010, 05:14 AM

Hello, I have CentOS 5.5 distribution with Dom0 and DomU installed.
I try to access Dom0 files during vsftpd server from DomU during ftp client.
I successfully login with root and simple user, but when I try to list (or cd to some directory) in user home the SELinux prevent it from me.
I get this in audit.log:

Code:

type=AVC msg=audit(1282644087.770:262): avc:  denied  { dac_override } for  pid=18044 comm="vsftpd" capability=1 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:system_r:ftpd_t:s0 tclass=capability
type=AVC msg=audit(1282644087.770:262): avc:  denied  { dac_read_search } for  pid=18044 comm="vsftpd" capability=2 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:system_r:ftpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1282644087.770:262): arch=c000003e syscall=2 success=no exit=-13 a0=2af24260ad40 a1=10800 a2=0 a3=0 items=0 ppid=18034 pid=18044 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=user_u:system_r:ftpd_t:s0 key=(null)

If I disable SELinux all works right.

Here is vsftpd configuration:

Code:

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=NO
idle_session_timeout=604800 # a week
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Last lines of vsftpd.log:

Code:

Tue Aug 24 10:01:14 2010 [pid 18035] CONNECT: Client "192.168.2.150"
Tue Aug 24 10:01:21 2010 [pid 18034] [root] OK LOGIN: Client "192.168.2.150"

This is what I see when I try to change directory:

Code:

ftp> dir
227 Entering Passive Mode (192,168,2,100,103,93)
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).

And second question.
Anonimous access in configuration is allowed, but I still not succeed to connect anonimously:

Code:

ftp> open 192.168.2.100
Connected to 192.168.2.100.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.2.100:root):

Thank you for ahead.

unSpawn · 08-24-2010, 11:18 AM

Quote:

Originally Posted by Rodnower

I successfully login with root

...which you shouldn't do regardless...

Quote:

Originally Posted by Rodnower

and simple user, but when I try to list (or cd to some directory) in user home the SELinux prevent it from me.
I get this in audit.log:

Code:

type=AVC msg=audit(1282644087.770:262): avc:  denied  { dac_override } for  pid=18044 comm="vsftpd" capability=1 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:system_r:ftpd_t:s0 tclass=capability
type=AVC msg=audit(1282644087.770:262): avc:  denied  { dac_read_search } for  pid=18044 comm="vsftpd" capability=2 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:system_r:ftpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1282644087.770:262): arch=c000003e syscall=2 success=no exit=-13 a0=2af24260ad40 a1=10800 a2=0 a3=0 items=0 ppid=18034 pid=18044 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=user_u:system_r:ftpd_t:s0 key=(null)

If I disable SELinux all works right.

The first thing is that this AVC does not contain an items full path. You need that to determine if your policy needs adjusting. To get full path logging run 'auditctl -w /etc/shadow -p w; /etc/init.d/auditd restart' and now try the same access routines you tried before to get AVC messages with path information.

Now when running your messages through 'audit2allow' this shows the following policy adjustment:

Code:

#============= ftpd_t ==============
allow ftpd_t self:capability dac_override;

The rule translates to something like "allow the process with ftpd_t context to ignore DAC", in which "dac_override" refers to the fact that SELinux (MAC) works on top of discretionary access controls (DAC: file ownership and access permissions), so if DAC doesn't allow it then so wouldn't or couldn't SELinux. Again, to determine if this is the right approach, please check AVC messages with full path logging.

Rodnower · 08-24-2010, 04:41 PM

Quote:

Originally Posted by unSpawn

...

Thank you for reply.
I did
auditctl -w /etc/shadow -p w
For the point, this is no need to do service auditd restart. When I do so, the configurations I did before going lost.

This are lines that I have now in audit.log:

Code:

type=AVC msg=audit(1282685262.008:561): avc:  denied  { getattr } for  pid=32446 comm="vsftpd" path="/root/scsrun.log" dev=dm-1 ino=1114134 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1282685262.008:561): arch=c000003e syscall=6 success=no exit=-13 a0=2af5834bd970 a1=2af5834bdb70 a2=2af5834bdb70 a3=6573752d796c746e items=1 ppid=32438 pid=32446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0 key=(null)
type=CWD msg=audit(1282685262.008:561):  cwd="/root"
type=PATH msg=audit(1282685262.008:561): item=0 name="scsrun.log" inode=1114134 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_home_t:s0

I get this log frame after typing ls in root home directory for each file that reside there.
After that I did:

Code:

cat /var/log/audit/audit.log | audit2allow

And get:

Code:

#============= ftpd_t ==============
allow ftpd_t file_t:dir getattr;
allow ftpd_t httpd_sys_content_t:dir { read search getattr };
allow ftpd_t httpd_sys_content_t:file getattr;
allow ftpd_t self:capability { dac_read_search kill dac_override };
allow ftpd_t user_home_t:dir getattr;
allow ftpd_t user_home_t:file getattr;

Now, I read man of audit2allow and understand that I need sourse code for SELinux to compile new module, so I decided to do it first on virtual mashine.
For this reason I created similar scenario where Dom0 try to access vsftp in DomU (originally it is conversely). But when I try to access ftp on DomU, I get this on client:

Code:

500 OOPS: cannot change directory:/root
Login failed.

And this on server in audit.log:

Code:

type=USER_AUTH msg=audit(1282685785.699:68): user pid=2663 uid=0 auid=0 subj=root:system_r:ftpd_t:s0 msg='PAM: authentication acct="root" : exe="/usr/sbin/vsftpd" (hostname=192.168.2.100, addr=192.168.2.100, terminal=ftp res=success)'
type=USER_ACCT msg=audit(1282685785.707:69): user pid=2663 uid=0 auid=0 subj=root:system_r:ftpd_t:s0 msg='PAM: accounting acct="root" : exe="/usr/sbin/vsftpd" (hostname=192.168.2.100, addr=192.168.2.100, terminal=ftp res=success)'
type=CRED_ACQ msg=audit(1282685785.707:70): user pid=2663 uid=0 auid=0 subj=root:system_r:ftpd_t:s0 msg='PAM: setcred acct="root" : exe="/usr/sbin/vsftpd" (hostname=192.168.2.100, addr=192.168.2.100, terminal=ftp res=success)'

And nothing in output of audit2allow... I get log frame above even in permissive mode (despite previous scenario, where in permissive mode there was no log entries during ftp oeration) but only in enforce mode I get the error in client above (!).

So my question are:
1. May I to do safe and simple policy manipulation in Dom0 without getting source? If I need source from where I get it?
2. What going on DomU server?
3. How it goes, that I set auditctl to watch only /etc/shadow (and why I was need set watching this file), but realy watching for all files was performed? And
4. Why I get error about ipossibility of anonimous login?