SELinux types

grob115 · 04-03-2012, 11:33 AM

Hello,

Just installed "vsftpd" and when trying to create a directory or upload a file, SELinux logs a line in both /var/log/messages and /var/log/audit/audit.log. When I run did "sealert" I see the following:

Code:

[root@www htdocs]# sealert -l 68811587-7674-47eb-a2e5-a11f83d38cf3

Summary:

SELinux is preventing the ftp daemon from writing files outside the home
directory (./ftpdir).

Detailed Description:

SELinux has denied the ftp daemon write access to directories outside the home
directory (./ftpdir). Someone has logged in via your ftp daemon and is trying to
create or write a file. If you only setup ftp to allow anonymous ftp, this could
signal a intrusion attempt.

Allowing Access:

If you do not want SELinux preventing ftp from writing files anywhere on the
system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
allow_ftpd_full_access=1"

The following command will allow this access:

setsebool -P allow_ftpd_full_access=1

Additional Information:

Source Context                user_u:system_r:ftpd_t
Target Context                root:object_r:usr_t
Target Objects                ./ftpdir [ dir ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          www.website.com
Source RPM Packages           vsftpd-2.0.5-24.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_ftpd_full_access
Host Name                     www.website.com
Platform                      Linux www.website.com 2.6.18-194.el5 #1 SMP Fri
                              Apr 2 14:58:14 EDT 2010 x86_64 x86_64
Alert Count                   9
First Seen                    Mon Apr  2 19:45:50 2012
Last Seen                     Tue Apr  3 08:48:58 2012
Local ID                      68811587-7674-47eb-a2e5-a11f83d38cf3
Line Numbers

Raw Audit Messages

host=www.website.com type=AVC msg=audit(1333468138.746:605504): avc:  denied  { write } for  pid=7809 comm="vsftpd" name="ftpdir" dev=dm-0 ino=8425137 scontext=user_u:system_r:ftpd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir

host=www.website.com type=SYSCALL msg=audit(1333468138.746:605504): arch=c000003e syscall=83 success=no exit=-13 a0=2b10769d6d00 a1=1ff a2=1 a3=0 items=0 ppid=7803 pid=7809 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4633 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=user_u:system_r:ftpd_t:s0 key=(null)

That's fine. Now while I can execute the following command, which I eventually did and had to, I wanted to try something more customized.

Code:

setsebool -P allow_ftpd_full_access=1

What I attempted was the following set of commands. Now the first one was fine. But when I executed the "restorecon" command I have all the files returned with a permission denied error. Googling online indicates I can't change the files' context type to "ftpd_t" because "ftpd_t" is a process context type, not a file context type. However, how do I check this? How can I know what is considered a file context type and what is considered a process context type?

Code:

semanage fcontext -a -t ftpd_t "/usr/local/apache2/htdocs/ftpdir(/.*)?"
restorecon -R -v /usr/local/apache2/htdocs/ftpdir

Also, it appears that my Apache doesn't have access to dB based on the following, and bind to a port. However, it's doing both. So any idea how this works with the SELinux boolean options not set?

Code:

[root@www htdocs]# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off

kbp · 04-03-2012, 11:35 PM

selinux is not trivial, I suggest you RTM - http://docs.redhat.com/docs/en-US/Re...nux/index.html

grob115 · 04-04-2012, 12:36 PM

Thanks but I read portion of this document alraedy before posting. And after reading it got more confused and came up with the above questions.

unSpawn · 04-04-2012, 05:49 PM

Quote:

Originally Posted by grob115

(..) I can't change the files' context type to "ftpd_t" because "ftpd_t" is a process context type, not a file context type. However, how do I check this? How can I know what is considered a file context type and what is considered a process context type?

In case of the FTP domain 'man ftpd_selinux' lists the target context ("public_content_rw_t").

Quote:

Originally Posted by grob115

(..) my Apache doesn't have access to dB based on the following, and bind to a port. However, it's doing both. So any idea how this works with the SELinux boolean options not set?

While it seems often understood as "cannot connect to database" http://docs.redhat.com/docs/en-US/Re..._Booleans.html (or 'less /usr/share/setroubleshoot/plugins/httpd_can_network_connect_db.py') reports the boolean as "(..) enable Apache HTTP Server scripts and modules to connect to database servers (..)".

*Note for future reference that listing booleans is OK but it's by no means a complete configuration assessment. Should you ever need to troubleshoot something like that you need to include (if relevant) configuration files (best post the output of 'grep -v^# /path/to/conffile|grep .;' between BB code tags), log and error log excerpts, DAC file and directory permissions and SELinux port assignments ('semanage port -l') and contexts.

kbp · 04-04-2012, 06:05 PM

If you run 'semanage fcontext -l | grep :ftpd' you'll see that all the ftpd* types are related to executing the binary not managing the served content, if you read 'man 8 ftpd_selinux' you'll see that the types supported are 'public_content_t' and 'public_content_rw_t'.

If you're allowing user logins then setting a specific users home dir to /usr/local/apache2/htdocs/ftpdir and running 'setsebool -P ftp_home_dir on' should allow you to upload the content. I'm guessing that as your httpd server is using /usr/local/apache2 it isn't installed via rpm and probably isn't covered by selinux, therefore you should just need to ensure that the umask for the ftp upload acct is allowing a+r.