The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring:
logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
Paul.