[CentOS] SELinux - way of the future or good idea but !!!
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 7 15:42:08 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/07/2010 10:36 AM, Benjamin Franz wrote:
> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>
>> I agree, and would like to look at the AVC's to understand what could
>> have broken the labeling
>
> Well - since it happened again this morning, here you go. On further
> investigation in backups, I previously had the user account that I use
> for the FTP based update with its home directory set to a location
> inside the /var/www/html tree. Since that unknowingly passed this rule,
> it silently worked. It was changed to a /home/ based directory instead a
> while ago - tripping this rule. But not consistently: FTP appears to at
> least partially work outside the home tree even with the rule active.
>
> I *really* dislike landmines when doing routine system tasks.
>
>
>
> Dec 7 07:14:19 10.96.1.9 setroubleshoot: SELinux is preventing the ftp
> daemon from writing files outside the home directory (./upgrade). For
> complete SELinux messages. run sealert -l
> e7787694-644e-4e4e-9b45-bd86c7eb33ce
>
>
> sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce
>
> Summary:
>
> SELinux is preventing the ftp daemon from writing files outside the home
> directory (./upgrade).
>
> Detailed Description:
>
> SELinux has denied the ftp daemon write access to directories outside
> the home
> directory (./upgrade). Someone has logged in via your ftp daemon and is
> trying
> to create or write a file. If you only setup ftp to allow anonymous ftp,
> this
> could signal a intrusion attempt.
>
> Allowing Access:
>
> If you do not want SELinux preventing ftp from writing files anywhere on the
> system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
> allow_ftpd_full_access=1"
>
> The following command will allow this access:
>
> setsebool -P allow_ftpd_full_access=1
>
> Additional Information:
>
> Source Context system_u:system_r:ftpd_t
> Target Context system_u:object_r:httpd_sys_content_t
> Target Objects ./upgrade [ dir ]
> Source vsftpd
> Source Path /usr/sbin/vsftpd
> Port <Unknown>
> Host XXXXXXXXXXXXXX
> Source RPM Packages vsftpd-2.1.0-2
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-279.el5_5.2
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_ftpd_full_access
> Host Name XXXXXXXXXXXXX
> Platform Linux XXXXXXXXXXXX 2.6.18-194.26.1.el5 #1 SMP
> Tue Nov 9 12:54:40 EST 2010 i686 i686
> Alert Count 17
> First Seen Thu Dec 2 12:10:14 2010
> Last Seen Tue Dec 7 07:14:19 2010
> Local ID e7787694-644e-4e4e-9b45-bd86c7eb33ce
> Line Numbers
>
> Raw Audit Messages
>
> host=XXXXXXXXXXXXXXXXXXXX type=AVC msg=audit(1291734859.344:6678): avc:
> denied { write } for pid=1018 comm="vsftpd" name="upgrade" dev=dm-5
> ino=1926503 scontext=system_u:system_r:ftpd_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
>
> host=XXXXXXXXXXXXXXXXXXXX type=SYSCALL msg=audit(1291734859.344:6678):
> arch=40000003 syscall=39 success=no exit=-13 a0=8e340d0 a1=1ff a2=802330
> a3=1 items=0 ppid=1014 pid=1018 auid=502 uid=502 gid=100 euid=502
> suid=502 fsuid=502 egid=100 sgid=100 fsgid=100 tty=(none) ses=1017
> comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0
> key=(null)
>
>
Where is the directory upgrade located. SELinux is complaining about
the ftp site writing to a directory labeled as apache content
(httpd_sys_content_t. The way we usually handle shared data between
"sharing domains" is to label the content public_content_rw_t.
The following man pages explain these labels.
man ftpd_selinux
man httpd_selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz+VdAACgkQrlYvE4MpobMQiACeI5mbC5rOqwxphNavqoomcOMn
fgEAniywRXmiDrnje2nC2vdrv+DGU56f
=qJ03
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list