The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring:
logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
Paul.
Paul Howarth wrote:
The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring:
logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
FWIW, I'm also getting in /var/log/secure:
Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
I don't see any AVCs to go with these, and adding:
logging_send_audit_msg(ftpd_t)
doesn't seem to help.
Paul.
Paul Howarth wrote:
Paul Howarth wrote:
The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring:
logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
FWIW, I'm also getting in /var/log/secure:
Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
I don't see any AVCs to go with these, and adding:
logging_send_audit_msg(ftpd_t)
doesn't seem to help.
Paul.
This could be caused by proftp not running as root and not having the auth_write capability. So a DAC error could be causing this problem.
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
I have no idea what this even means. :^) One of these days I need to investigate the kernel keyring.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
Paul Howarth wrote:
Paul Howarth wrote:
The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring:
logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
FWIW, I'm also getting in /var/log/secure:
Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
I don't see any AVCs to go with these, and adding:
logging_send_audit_msg(ftpd_t)
doesn't seem to help.
Paul.
This could be caused by proftp not running as root and not having the auth_write capability. So a DAC error could be causing this problem.
Proftpd runs as nobody out of the box; what would I need to change to fix this? Which object's DAC permissions are the problem?
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
I have no idea what this even means. :^) One of these days I need to investigate the kernel keyring.
It doesn't seem to cause any problem, but I would like to know what it is if you ever figure it out.
Cheers, Paul.
Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
Paul Howarth wrote:
The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring:
logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
FWIW, I'm also getting in /var/log/secure:
Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
I don't see any AVCs to go with these, and adding:
logging_send_audit_msg(ftpd_t)
doesn't seem to help.
Paul.
This could be caused by proftp not running as root and not having the auth_write capability. So a DAC error could be causing this problem.
Proftpd runs as nobody out of the box; what would I need to change to fix this? Which object's DAC permissions are the problem?
proftpd would need to start as root and then setuid to "nobody" When it does setuid it would need to keep AUDIT_WRITE capability.
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
I have no idea what this even means. :^) One of these days I need to investigate the kernel keyring.
It doesn't seem to cause any problem, but I would like to know what it is if you ever figure it out.
Cheers, Paul.
Daniel J Walsh wrote:
Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
Paul Howarth wrote:
The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create a session keyring:
logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
FWIW, I'm also getting in /var/log/secure:
Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
I don't see any AVCs to go with these, and adding:
logging_send_audit_msg(ftpd_t)
doesn't seem to help.
Paul.
This could be caused by proftp not running as root and not having the auth_write capability. So a DAC error could be causing this problem.
Proftpd runs as nobody out of the box; what would I need to change to fix this? Which object's DAC permissions are the problem?
proftpd would need to start as root and then setuid to "nobody" When it does setuid it would need to keep AUDIT_WRITE capability.
OK thanks. It does most of this already. There's a proftpd module mod_cap that gets built by default and allows the specification of capabilities to retain, but unfortunately CAP_AUDIT_WRITE isn't one of the capabilities it manipulates. However, a quick patch fixed that and now it seems OK:
Jun 26 14:33:44 goalkeeper proftpd: pam_unix(proftpd:session): session opened for user paul by (uid=0) Jun 26 14:33:44 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - USER paul: Login successful. Jun 26 14:33:48 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 14:33:48 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
Paul.
selinux@lists.fedoraproject.org