vsftpd vs SELinux

grob115 · 10-04-2010, 02:56 PM

Hi, I've configured my vsftpd to use chroot for a ftp account. So whenever a ftp user logs in, they'll be chroot to /ftpuser. However, it appears that SELinux is having an issue with this and I have to issue the following command in order to do uploads...

Code:

setsebool -P allow_ftpd_full_access=1

Somehow this doesn't appear to be the right approach. Has anyone else encountered similar issue?

Following is the SELinux message...

Code:

[root@uat ~]# sealert -l 83137bfa-1735-4107-bdb7-f7cd762174de

Summary:

SELinux is preventing the ftp daemon from writing files outside the home
directory (./ftpuser).

Detailed Description:

SELinux has denied the ftp daemon write access to directories outside the home
directory (./ftpuser). Someone has logged in via your ftp daemon and is trying to
create or write a file. If you only setup ftp to allow anonymous ftp, this could
signal a intrusion attempt.

Allowing Access:

If you do not want SELinux preventing ftp from writing files anywhere on the
system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
allow_ftpd_full_access=1"

The following command will allow this access:

setsebool -P allow_ftpd_full_access=1

Additional Information:

Source Context                root:system_r:ftpd_t
Target Context                root:object_r:usr_t
Target Objects                ./ftpuser [ dir ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          test.mysite.com
Source RPM Packages           vsftpd-2.0.5-16.el5_5.1
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_ftpd_full_access
Host Name                     test.mysite.com
Platform                      Linux test.mysite.com 2.6.18-194.el5 #1 SMP Fri
                              Apr 2 14:58:14 EDT 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Mon Oct  4 12:31:27 2010
Last Seen                     Mon Oct  4 12:34:28 2010
Local ID                      83137bfa-1735-4107-bdb7-f7cd762174de
Line Numbers

Raw Audit Messages

host=test.mysite.com type=AVC msg=audit(1286220868.906:8856): avc:  denied  { write } for  pid=19649 comm="vsftpd" name="ftpuser" dev=dm-0 ino=850386 scontext=root:system_r:ftpd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir

host=test.mysite.com type=SYSCALL msg=audit(1286220868.906:8856): arch=c000003e syscall=83 success=no exit=-13 a0=2b21eefe1330 a1=1ff a2=1 a3=0 items=0 ppid=19645 pid=19649 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=841 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)

unSpawn · 10-04-2010, 04:25 PM

Quote:

Originally Posted by grob115

Code:

host=test.mysite.com type=AVC msg=audit(1286220868.906:8856): avc:  denied  { write } for  pid=19649 comm="vsftpd" name="ftpuser" dev=dm-0 ino=850386 scontext=root:system_r:ftpd_t:s0 tcontext=root:object_r:usr_t:s0 tclass=dir

host=test.mysite.com type=SYSCALL msg=audit(1286220868.906:8856): arch=c000003e syscall=83 success=no exit=-13 a0=2b21eefe1330 a1=1ff a2=1 a3=0 items=0 ppid=19645 pid=19649 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=841 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)

Running the AVC through 'audit2allow' I get

Code:

#============= ftpd_t ==============
allow ftpd_t usr_t:dir write;

Now that "usr_t" context doesn't sound right to me (shouldn't that be "user_home_dir_t" when it's a unprivileged users home?) but then again 'sesearch -s ftpd_t -t usr_t -a | grep dir.*write' returns

Code:

   allow ftpd_t usr_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir };

so...