View Issue Details

IDProjectCategoryView StatusLast Update
0007941CentOS-7vsftpdpublic2014-11-27 11:49
Reportergexmei Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
OSCentOS Linux releaseOS Version7.0.1406 (Core)  
Product Version7.0-1406 
Summary0007941: SELinux keep from ftp(vsftpd) user upload file
Description[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# firewall-cmd --permanent --remove-port =20-21/tcp

The vsftpd.conf default,Pretty sure!!!
[root@localhost ~]# cat -n /etc/vsftpd/vsftpd.conf | grep write_enable
    19 write_enable=YES
Steps To Reproduce[root@localhost ~]# useradd test
[root@localhost ~]# passwd test

The use of upload file is ok
The use of delete file is ok

[root@localhost ~]# reboot
The use of upload Failure



Additional InformationI'm from China?My English is very poor?
Please refer to my attached,Thanks!
The system log prompted me to this report bug.
TagsNo tags attached.
abrt_hash
URL

Activities

gexmei

gexmei

2014-11-27 11:49

reporter  

error.txt (7,175 bytes)   
[root@localhost home]# tail /var/log/messages 
Nov 27 18:27:01 localhost dbus-daemon: dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:27:01 localhost dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:27:02 localhost dbus-daemon: dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:27:02 localhost dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:27:02 localhost setroubleshoot: Plugin Exception restorecon_source
Nov 27 18:27:02 localhost setroubleshoot: Plugin Exception restorecon
Nov 27 18:27:02 localhost setroubleshoot: SELinux is preventing /usr/sbin/vsftpd from create access on the file . For complete SELinux messages. run sealert -l 953b2331-3ecb-4498-be5a-8b5fbde8618d
Nov 27 18:27:02 localhost python: SELinux is preventing /usr/sbin/vsftpd from create access on the file .

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow ftp to home dir
Then you must tell SELinux about this by enabling the 'ftp_home_dir' boolean.
You can read 'None' man page for more details.
Do
setsebool -P ftp_home_dir 1

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow ftpd to full access
Then you must tell SELinux about this by enabling the 'ftpd_full_access' boolean.
You can read 'None' man page for more details.
Do
setsebool -P ftpd_full_access 1

*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that vsftpd should be allowed create access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


#####################################################################################################################

[root@localhost ~]# sealert -l 953b2331-3ecb-4498-be5a-8b5fbde8618d
SELinux is preventing /usr/sbin/vsftpd from create access on the file .

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If �Ҫ allow ftp to home dir
Then ��������� 'ftp_home_dir' ����ֵ��֪ SELinux ������
������Ķ� 'None' �ֲ�ҳ���˽����顣
Do
setsebool -P ftp_home_dir 1

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If �Ҫ allow ftpd to full access
Then ��������� 'ftpd_full_access' ����ֵ��֪ SELinux ������
������Ķ� 'None' �ֲ�ҳ���˽����顣
Do
setsebool -P ftpd_full_access 1

*****  Plugin catchall (6.38 confidence) suggests   **************************

If �ȷ��ӦĬ������ vsftpd create ����  file��
Then �Ӧ�ý������Ϊ bug ���档
�������ɱ��ز���ģ�����������ʡ�
Do
��ִ����������ʱ���������ʣ�
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                 [ file ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           vsftpd-3.0.2-9.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.11.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              3.10.0-123.9.3.el7.x86_64 #1 SMP Thu Nov 6
                              15:06:03 UTC 2014 x86_64 x86_64
Alert Count                   8
First Seen                    2014-11-27 18:18:30 CST
Last Seen                     2014-11-27 18:27:01 CST
Local ID                      953b2331-3ecb-4498-be5a-8b5fbde8618d

Raw Audit Messages
type=AVC msg=audit(1417084021.717:459): avc:  denied  { create } for  pid=2895 comm="vsftpd" name=5858E7B3BBE7BB9FE58D87E7BAA7E983A8E7BDB2E696B9E6A18828E59088292E646F6378 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1417084021.717:459): arch=x86_64 syscall=open success=no exit=EACCES a0=7f77821ee700 a1=841 a2=1b6 a3=2 items=0 ppid=2890 pid=2895 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=vsftpd exe=/usr/sbin/vsftpd subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

Hash: vsftpd,ftpd_t,user_home_t,file,create


#####################################################################################################################

[root@localhost ~]# setsebool -P ftpd_full_access 1

#####################################################################################################################

[root@localhost home]# tail /var/log/messages 
Nov 27 18:27:12 localhost dbus-daemon: 'list' object has no attribute 'split'
Nov 27 18:27:12 localhost dbus-daemon: string index out of range
Nov 27 18:28:01 localhost dbus-daemon: dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:28:01 localhost dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:28:02 localhost dbus-daemon: dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:28:02 localhost dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:28:47 localhost systemd-logind: New session 7 of user root.
Nov 27 18:28:47 localhost systemd: Starting Session 7 of user root.
Nov 27 18:28:47 localhost systemd: Started Session 7 of user root.
Nov 27 18:30:01 localhost systemd: Starting Session 8 of user root.
Nov 27 18:30:01 localhost systemd: Started Session 8 of user root.
Nov 27 18:30:29 localhost dbus-daemon: dbus[614]: avc:  received policyload notice (seqno=2)
Nov 27 18:30:29 localhost dbus[614]: avc:  received policyload notice (seqno=2)
Nov 27 18:30:29 localhost dbus-daemon: dbus[614]: [system] Reloaded configuration
Nov 27 18:30:29 localhost dbus[614]: [system] Reloaded configuration
Nov 27 18:30:31 localhost dbus-daemon: dbus[614]: avc:  received policyload notice (seqno=3)
Nov 27 18:30:31 localhost dbus[614]: avc:  received policyload notice (seqno=3)
Nov 27 18:30:31 localhost dbus-daemon: dbus[614]: [system] Reloaded configuration
Nov 27 18:30:31 localhost dbus[614]: [system] Reloaded configuration
Nov 27 18:30:31 localhost setsebool: The ftp_home_dir policy boolean was changed to 1 by root
Nov 27 18:40:01 localhost systemd: Starting Session 9 of user root.
Nov 27 18:40:01 localhost systemd: Started Session 9 of user root.
error.txt (7,175 bytes)   

Issue History

Date Modified Username Field Change
2014-11-27 11:49 gexmei New Issue
2014-11-27 11:49 gexmei File Added: error.txt