View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007941 | CentOS-7 | vsftpd | public | 2014-11-27 11:49 | 2014-11-27 11:49 |
| Reporter | gexmei | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| OS | CentOS Linux release | OS Version | 7.0.1406 (Core) | ||
| Product Version | 7.0-1406 | ||||
| Summary | 0007941: SELinux keep from ftp(vsftpd) user upload file | ||||
| Description | [root@localhost ~]# getenforce Enforcing [root@localhost ~]# firewall-cmd --permanent --remove-port =20-21/tcp The vsftpd.conf default,Pretty sure!!! [root@localhost ~]# cat -n /etc/vsftpd/vsftpd.conf | grep write_enable 19 write_enable=YES | ||||
| Steps To Reproduce | [root@localhost ~]# useradd test [root@localhost ~]# passwd test The use of upload file is ok The use of delete file is ok [root@localhost ~]# reboot The use of upload Failure | ||||
| Additional Information | I'm from China?My English is very poor? Please refer to my attached,Thanks! The system log prompted me to this report bug. | ||||
| Tags | No tags attached. | ||||
| abrt_hash | |||||
| URL | |||||
 |
error.txt (7,175 bytes)
[root@localhost home]# tail /var/log/messages
Nov 27 18:27:01 localhost dbus-daemon: dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:27:01 localhost dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:27:02 localhost dbus-daemon: dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:27:02 localhost dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:27:02 localhost setroubleshoot: Plugin Exception restorecon_source
Nov 27 18:27:02 localhost setroubleshoot: Plugin Exception restorecon
Nov 27 18:27:02 localhost setroubleshoot: SELinux is preventing /usr/sbin/vsftpd from create access on the file . For complete SELinux messages. run sealert -l 953b2331-3ecb-4498-be5a-8b5fbde8618d
Nov 27 18:27:02 localhost python: SELinux is preventing /usr/sbin/vsftpd from create access on the file .
***** Plugin catchall_boolean (47.5 confidence) suggests ******************
If you want to allow ftp to home dir
Then you must tell SELinux about this by enabling the 'ftp_home_dir' boolean.
You can read 'None' man page for more details.
Do
setsebool -P ftp_home_dir 1
***** Plugin catchall_boolean (47.5 confidence) suggests ******************
If you want to allow ftpd to full access
Then you must tell SELinux about this by enabling the 'ftpd_full_access' boolean.
You can read 'None' man page for more details.
Do
setsebool -P ftpd_full_access 1
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that vsftpd should be allowed create access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
#####################################################################################################################
[root@localhost ~]# sealert -l 953b2331-3ecb-4498-be5a-8b5fbde8618d
SELinux is preventing /usr/sbin/vsftpd from create access on the file .
***** Plugin catchall_boolean (47.5 confidence) suggests ******************
If �Ҫ allow ftp to home dir
Then ��������� 'ftp_home_dir' ����ֵ��֪ SELinux ������
������Ķ� 'None' �ֲ�ҳ���˽����顣
Do
setsebool -P ftp_home_dir 1
***** Plugin catchall_boolean (47.5 confidence) suggests ******************
If �Ҫ allow ftpd to full access
Then ��������� 'ftpd_full_access' ����ֵ��֪ SELinux ������
������Ķ� 'None' �ֲ�ҳ���˽����顣
Do
setsebool -P ftpd_full_access 1
***** Plugin catchall (6.38 confidence) suggests **************************
If �ȷ��ӦĬ������ vsftpd create ���� file��
Then �Ӧ�ý������Ϊ bug ���档
�������ɱ��ز���ģ�����������ʡ�
Do
��ִ����������ʱ���������ʣ�
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context system_u:object_r:user_home_t:s0
Target Objects [ file ]
Source vsftpd
Source Path /usr/sbin/vsftpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages vsftpd-3.0.2-9.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7_0.11.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.10.0-123.9.3.el7.x86_64 #1 SMP Thu Nov 6
15:06:03 UTC 2014 x86_64 x86_64
Alert Count 8
First Seen 2014-11-27 18:18:30 CST
Last Seen 2014-11-27 18:27:01 CST
Local ID 953b2331-3ecb-4498-be5a-8b5fbde8618d
Raw Audit Messages
type=AVC msg=audit(1417084021.717:459): avc: denied { create } for pid=2895 comm="vsftpd" name=5858E7B3BBE7BB9FE58D87E7BAA7E983A8E7BDB2E696B9E6A18828E59088292E646F6378 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1417084021.717:459): arch=x86_64 syscall=open success=no exit=EACCES a0=7f77821ee700 a1=841 a2=1b6 a3=2 items=0 ppid=2890 pid=2895 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=vsftpd exe=/usr/sbin/vsftpd subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
Hash: vsftpd,ftpd_t,user_home_t,file,create
#####################################################################################################################
[root@localhost ~]# setsebool -P ftpd_full_access 1
#####################################################################################################################
[root@localhost home]# tail /var/log/messages
Nov 27 18:27:12 localhost dbus-daemon: 'list' object has no attribute 'split'
Nov 27 18:27:12 localhost dbus-daemon: string index out of range
Nov 27 18:28:01 localhost dbus-daemon: dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:28:01 localhost dbus[614]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 27 18:28:02 localhost dbus-daemon: dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:28:02 localhost dbus[614]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Nov 27 18:28:47 localhost systemd-logind: New session 7 of user root.
Nov 27 18:28:47 localhost systemd: Starting Session 7 of user root.
Nov 27 18:28:47 localhost systemd: Started Session 7 of user root.
Nov 27 18:30:01 localhost systemd: Starting Session 8 of user root.
Nov 27 18:30:01 localhost systemd: Started Session 8 of user root.
Nov 27 18:30:29 localhost dbus-daemon: dbus[614]: avc: received policyload notice (seqno=2)
Nov 27 18:30:29 localhost dbus[614]: avc: received policyload notice (seqno=2)
Nov 27 18:30:29 localhost dbus-daemon: dbus[614]: [system] Reloaded configuration
Nov 27 18:30:29 localhost dbus[614]: [system] Reloaded configuration
Nov 27 18:30:31 localhost dbus-daemon: dbus[614]: avc: received policyload notice (seqno=3)
Nov 27 18:30:31 localhost dbus[614]: avc: received policyload notice (seqno=3)
Nov 27 18:30:31 localhost dbus-daemon: dbus[614]: [system] Reloaded configuration
Nov 27 18:30:31 localhost dbus[614]: [system] Reloaded configuration
Nov 27 18:30:31 localhost setsebool: The ftp_home_dir policy boolean was changed to 1 by root
Nov 27 18:40:01 localhost systemd: Starting Session 9 of user root.
Nov 27 18:40:01 localhost systemd: Started Session 9 of user root. |
