[CentOS] SELinux - way of the future or good idea but !!!

Tue Dec 7 15:36:58 UTC 2010
Benjamin Franz <jfranz at freerun.com>

On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
> I agree, and would like to look at the AVC's to understand what could
> have broken the labeling

Well - since it happened again this morning, here you go. On further 
investigation in backups, I previously had the user account that I use 
for the FTP based update with its home directory set to a location 
inside the /var/www/html tree. Since that unknowingly passed this rule, 
it silently worked. It was changed to a /home/ based directory instead a 
while ago - tripping this rule. But not consistently: FTP appears to at 
least partially work outside the home tree even with the rule active.

I *really* dislike landmines when doing routine system tasks.

Dec  7 07:14:19 setroubleshoot: SELinux is preventing the ftp 
daemon from writing files outside the home directory (./upgrade). For 
complete SELinux messages. run sealert -l 

sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce


SELinux is preventing the ftp daemon from writing files outside the home
directory (./upgrade).

Detailed Description:

SELinux has denied the ftp daemon write access to directories outside 
the home
directory (./upgrade). Someone has logged in via your ftp daemon and is 
to create or write a file. If you only setup ftp to allow anonymous ftp, 
could signal a intrusion attempt.

Allowing Access:

If you do not want SELinux preventing ftp from writing files anywhere on the
system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P

The following command will allow this access:

setsebool -P allow_ftpd_full_access=1

Additional Information:

Source Context                system_u:system_r:ftpd_t
Target Context                system_u:object_r:httpd_sys_content_t
Target Objects                ./upgrade [ dir ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port <Unknown>
Host                          XXXXXXXXXXXXXX
Source RPM Packages           vsftpd-2.1.0-2
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_ftpd_full_access
Host Name                     XXXXXXXXXXXXX
Platform                      Linux XXXXXXXXXXXX 2.6.18-194.26.1.el5 #1 SMP
                               Tue Nov 9 12:54:40 EST 2010 i686 i686
Alert Count                   17
First Seen                    Thu Dec  2 12:10:14 2010
Last Seen                     Tue Dec  7 07:14:19 2010
Local ID                      e7787694-644e-4e4e-9b45-bd86c7eb33ce
Line Numbers

Raw Audit Messages

host=XXXXXXXXXXXXXXXXXXXX type=AVC msg=audit(1291734859.344:6678): avc:  
denied  { write } for  pid=1018 comm="vsftpd" name="upgrade" dev=dm-5 
ino=1926503 scontext=system_u:system_r:ftpd_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

host=XXXXXXXXXXXXXXXXXXXX type=SYSCALL msg=audit(1291734859.344:6678): 
arch=40000003 syscall=39 success=no exit=-13 a0=8e340d0 a1=1ff a2=802330 
a3=1 items=0 ppid=1014 pid=1018 auid=502 uid=502 gid=100 euid=502 
suid=502 fsuid=502 egid=100 sgid=100 fsgid=100 tty=(none) ses=1017 
comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0 

Benjamin Franz