Hello,
Just installed "vsftpd" and when trying to create a directory or upload a file, SELinux logs a line in both /var/log/messages and /var/log/audit/audit.log. When I run did "sealert" I see the following:
Code:
[root@www htdocs]# sealert -l 68811587-7674-47eb-a2e5-a11f83d38cf3
Summary:
SELinux is preventing the ftp daemon from writing files outside the home
directory (./ftpdir).
Detailed Description:
SELinux has denied the ftp daemon write access to directories outside the home
directory (./ftpdir). Someone has logged in via your ftp daemon and is trying to
create or write a file. If you only setup ftp to allow anonymous ftp, this could
signal a intrusion attempt.
Allowing Access:
If you do not want SELinux preventing ftp from writing files anywhere on the
system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
allow_ftpd_full_access=1"
The following command will allow this access:
setsebool -P allow_ftpd_full_access=1
Additional Information:
Source Context user_u:system_r:ftpd_t
Target Context root:object_r:usr_t
Target Objects ./ftpdir [ dir ]
Source vsftpd
Source Path /usr/sbin/vsftpd
Port <Unknown>
Host www.website.com
Source RPM Packages vsftpd-2.0.5-24.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_ftpd_full_access
Host Name www.website.com
Platform Linux www.website.com 2.6.18-194.el5 #1 SMP Fri
Apr 2 14:58:14 EDT 2010 x86_64 x86_64
Alert Count 9
First Seen Mon Apr 2 19:45:50 2012
Last Seen Tue Apr 3 08:48:58 2012
Local ID 68811587-7674-47eb-a2e5-a11f83d38cf3
Line Numbers
Raw Audit Messages
host=www.website.com type=AVC msg=audit(1333468138.746:605504): avc: denied { write } for pid=7809 comm="vsftpd" name="ftpdir" dev=dm-0 ino=8425137 scontext=user_u:system_r:ftpd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir
host=www.website.com type=SYSCALL msg=audit(1333468138.746:605504): arch=c000003e syscall=83 success=no exit=-13 a0=2b10769d6d00 a1=1ff a2=1 a3=0 items=0 ppid=7803 pid=7809 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4633 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=user_u:system_r:ftpd_t:s0 key=(null)
That's fine. Now while I can execute the following command, which I eventually did and had to, I wanted to try something more customized.
Code:
setsebool -P allow_ftpd_full_access=1
What I attempted was the following set of commands. Now the first one was fine. But when I executed the "restorecon" command I have all the files returned with a permission denied error. Googling online indicates I can't change the files' context type to "ftpd_t" because "ftpd_t" is a process context type, not a file context type. However, how do I check this? How can I know what is considered a file context type and what is considered a process context type?
Code:
semanage fcontext -a -t ftpd_t "/usr/local/apache2/htdocs/ftpdir(/.*)?"
restorecon -R -v /usr/local/apache2/htdocs/ftpdir
Also, it appears that my Apache doesn't have access to dB based on the following, and bind to a port. However, it's doing both. So any idea how this works with the SELinux boolean options not set?
Code:
[root@www htdocs]# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off