[CentOS] vsftpd and SElinux

Tue Dec 9 20:02:16 UTC 2008
Dirk H. Schulz <dirk.schulz at kinzesberg.de>

Hi folks,

I have configured vsftpd with virtual users for webserver users (that 
means, a virtual users chrooted home is the document root of a virtual host 
in apache). That works fine so far - as long as SElinux ist not enforcing.

I have tried to audit2allow out the problem, but did not succeed. Virtual 
vsftpd users are denied access to directories: virtual users are mapped to 
a system user with vsftpd; after login the vsftpd process changes into the 
system users home directory, then into the virtual users chroot. And the 
first step (changing into the system users home dir) is denied by SElinux.
But there is no "avc denial" in audit log any more - I have policied these 
out completely. There seems to be a "dontaudit" denial working - which I 
cannot make visible on CentOS since the -D flag is not available for 
semodule (as it is in Fedora 9, e.g.).

So I am quite stuck here. Is there anything I can do to find the denial I 
need to feed into audit2allow? Or some other way to make SElinux accept 
vsftpds access?
Perhaps someone out there has already gone through this process.

Any hint or help is appreciated.

Dirk