Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Servers & Networking
FedoraForum Search

Forgot Password? Join Us!

Servers & Networking Discuss any Fedora server problems and Networking issues such as dhcp, IP numbers, wlan, modems, etc.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 31st December 2009, 08:59 PM
salex Offline
Registered User
 
Join Date: Jul 2009
Posts: 33
linuxfedorafirefox
SELinux is preventing /usr/sbin/vsftpd "net_raw" access

Hi Friends,
I receive the message "SELinux is preventing /usr/sbin/vsftpd "net_raw" access" many times. Found this bug at redhat but really do not understand what i should do about it ((( Kindly let me know how to change this to normal. Shut down Selinux is not the way out. Thank you very much.
Reply With Quote
  #2  
Old 31st December 2009, 11:01 PM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
linuxfedorafirefox
You'll need to create a local policy to allow the access. First, make sure you have the necessary packages installed (all the following as root):

Code:
yum install selinux-policy-targeted policycoreutils libselinux selinux-policy libselinux-python libselinux-devel policycoreutils-python libselinux policycoreutils-gui libselinux-utils policycoreutils-sandbox checkpolicy
Then, reload policy to get a clean start for audit2allow, and set permissive mode to collect all required authorizations:

Code:
semodule -R
setenforce 0
Now recreate the situation that causes the audit (stop/start vsftpd, transfer files, etc.). Once the audits have appeared, create a local policy using audit2allow:

Code:
mkdir /etc/local-selinux-policy
audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
You can examine the policy created (/etc/local-selinux-policy/local001.te), and then load it with:

Code:
cd /etc/local-selinux-policy/
checkmodule -M -m -o local001.mod local001.te
semodule_package -o local001.pp -m local001.mod
semodule -i local001.pp
Finally, you can re-enable enforcing mode:

Code:
setenforce 1
You can repeat this process (incrementing the file name: local002, local003, etc.) for future authorizations that you need to make.

Last edited by macemoneta; 31st December 2009 at 11:03 PM.
Reply With Quote
  #3  
Old 2nd January 2010, 12:40 AM
jonathonp Offline
Registered User
 
Join Date: Oct 2006
Location: Melbourne
Age: 43
Posts: 532
linuxfedorafirefox
I'm using fedora 12 x86_64 and i am receiving the same error when i login to vsftpd to test the connection. How do i fix this:

Code:
SELinux is preventing /usr/sbin/vsftpd "net_raw" access.

Code:
 audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 24, in <module>
    import sepolgen.policygen as policygen
  File "/usr/lib64/python2.6/site-packages/sepolgen/policygen.py", line 33, in <module>
    from setools import *
ImportError: No module named setools
Code:
Package setools-3.3.6-4.fc12.x86_64 already installed and latest version
Bug is here https://bugzilla.redhat.com/show_bug.cgi?id=550657
__________________
http://poppleit.com/

Fedora 17 XFCE x64, Xubuntu 12.04 LTS x64, Windows 7 64bit
HP-ProBook 5830 i3 - PC AMD Core 4
MacBookPro v10.7.4 - 2.8GHz i7 4GB RAM

Last edited by jonathonp; 2nd January 2010 at 01:21 AM.
Reply With Quote
  #4  
Old 2nd January 2010, 12:58 AM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
linuxfedorafirefox
You'll need to update to the testing version of the tools, as it looks like they broke the policy generation tools in the last push:

Code:
yum --enablerepo=updates-testing install selinux-policy-targeted policycoreutils libselinux selinux-policy libselinux-python libselinux-devel policycoreutils-python libselinux policycoreutils-gui libselinux-utils policycoreutils-sandbox checkpolicy
Reply With Quote
  #5  
Old 2nd January 2010, 03:28 AM
jonathonp Offline
Registered User
 
Join Date: Oct 2006
Location: Melbourne
Age: 43
Posts: 532
linuxfedorafirefox
Hi macemoneta. Unfortunately it's still broken after updating.
__________________
http://poppleit.com/

Fedora 17 XFCE x64, Xubuntu 12.04 LTS x64, Windows 7 64bit
HP-ProBook 5830 i3 - PC AMD Core 4
MacBookPro v10.7.4 - 2.8GHz i7 4GB RAM
Reply With Quote
  #6  
Old 2nd January 2010, 03:52 AM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
linuxfedorafirefox
I have policycoreutils-python-2.0.78-6.fc12.x86_64 (which includes audit2allow). What version are you using? If you need a different version, you can get it from koji, the Fedora build system.

---------- Post added at 10:52 PM CST ---------- Previous post was at 10:47 PM CST ----------

I think I found the problem you're having.
Reply With Quote
  #7  
Old 2nd January 2010, 05:53 AM
jonathonp Offline
Registered User
 
Join Date: Oct 2006
Location: Melbourne
Age: 43
Posts: 532
linuxfedorafirefox
Hi macemoneta. This is what i have done so far:

i downloaded policycoreutils-python-2.0.78-6.fc12.x86_64 and dependencies from the koji website.
Next i created a local repository to install them:
Code:
gedit /etc/yum.repos.d/koji.repo
Code:
[koji]
name=Fedora 12 - x86_64 - Just Born
baseurl=file:///path-to-local-repo-koji
enabled=1
gpgcheck=0
Code:
yum install policycoreutils-python-2.0.78-6.fc12.x86_64
Example:
Code:
Dependency Installed:
  setools-libs-python.x86_64 0:3.3.6-4.fc12                                     
Updated:
  policycoreutils-python.x86_64 0:2.0.78-6.fc12                                 
Dependency Updated:
  policycoreutils.x86_64 0:2.0.78-6.fc12                                        
  policycoreutils-gui.x86_64 0:2.0.78-6.fc12                                    
  policycoreutils-sandbox.x86_64 0:2.0.78-6.fc12
Then i followed u initial instructions:
Code:
[root@explore jonathon]# semodule -R
[root@explore jonathon]# setenforce 0
[root@explore jonathon]# mkdir /etc/local-selinux-policy
[root@explore local-selinux-policy]# audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
[root@explore local-selinux-policy]# cd /etc/local-selinux-policy/
[root@explore local-selinux-policy]# checkmodule -M -m -o local001.mod local001.te
checkmodule:  loading policy configuration from local001.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 10) to local001.mod
[root@explore local-selinux-policy]# semodule_package -o local001.pp -m local001.mod
[root@explore local-selinux-policy]# semodule -i local001.pp
[root@explore local-selinux-policy]# setenforce 1
When i start VSFTP with selinux enabled i get the following:
Code:
[jonathon@explore ~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.0)
Name (localhost:jonathon): jonathon
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/jonathon
Login failed.
ftp>
If i disable selinux i get:
Code:
[jonathon@explore ~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.0)
Name (localhost:jonathon): jonathon
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
After all my research into ftp clients and servers I'm still new with ftp and the 'Very Secure FTP Daemon' and getting things set-up.

I no longer receive any selinux errors so i guess that is progress. Maybe the policy needs to be refined?
__________________
http://poppleit.com/

Fedora 17 XFCE x64, Xubuntu 12.04 LTS x64, Windows 7 64bit
HP-ProBook 5830 i3 - PC AMD Core 4
MacBookPro v10.7.4 - 2.8GHz i7 4GB RAM

Last edited by jonathonp; 2nd January 2010 at 05:57 AM.
Reply With Quote
  #8  
Old 2nd January 2010, 06:02 AM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
linuxfedorafirefox
Did you run that same sequence before creating the policy with audit2allow? If not, you need to create a second local policy. If so, then you probably need to allow ftp access to home directories (as root):

Code:
setsebool -P ftp_home_dir on
You can see the available booleans for selinux with:

Code:
getsebool -a | less
Reply With Quote
  #9  
Old 2nd January 2010, 07:43 AM
jonathonp Offline
Registered User
 
Join Date: Oct 2006
Location: Melbourne
Age: 43
Posts: 532
linuxfedorafirefox
Did the trick:

Code:
[root@explore jonathon]# setsebool -P ftp_home_dir on
[root@explore jonathon]# setenforce 1
Code:
[jonathon@explore ~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.0)
Name (localhost:jonathon): jonathon
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Code:
getsebool -a | less
is very helpful info with regard to selinux.

What does this

Code:
Trying ::1...
ftp: connect to address ::1Connection refused
exactly mean?

Thanks for u help.
__________________
http://poppleit.com/

Fedora 17 XFCE x64, Xubuntu 12.04 LTS x64, Windows 7 64bit
HP-ProBook 5830 i3 - PC AMD Core 4
MacBookPro v10.7.4 - 2.8GHz i7 4GB RAM

Last edited by jonathonp; 2nd January 2010 at 07:45 AM.
Reply With Quote
  #10  
Old 2nd January 2010, 08:06 AM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
linuxfedorafirefox
The loopback address on an IPv6 network is 0:0:0:0:0:0:0:1 which is abbreviated as ::1.

So the message is saying it tried the ipv6 loopback address of localhost, then the ipv4 loopback address of localhost.

---------- Post added at 03:06 AM CST ---------- Previous post was at 02:53 AM CST ----------

By the way, Fedora has pretty good selinux documentation if you are going to be using and administering it: here.
Reply With Quote
  #11  
Old 2nd January 2010, 08:29 AM
jonathonp Offline
Registered User
 
Join Date: Oct 2006
Location: Melbourne
Age: 43
Posts: 532
linuxfedorafirefox
One thing i am concerned about is creating a username and making it available for ftp access when my fstab file allows all data partitions to start on boot.

Example:
Code:
/dev/sda2       /media/Data     ntfs-3g    defaults.umask=000 0 0
As far as i remember I can't create file permissions with the ntfs format so i'm not sure about whether to have a partition that is allocated for file sharing that is formatted in ext3 or 4 or just leave it in ntfs-3g.

Can a windows user using a ftp client read linux format?

I noticed in "System.Administration>Ftp Administration>Users>Specify the directory vsftpd changes to after a local user logs in"

that this option wasn't listed in the default /etc/vsftpd/vsftpd.conf when i printed it out and studied it. Hopefully i will find its location sometime soon.

Does a user name (for ftp public access only) with the /sbin/nolgin option provide a more secure approach?
__________________
http://poppleit.com/

Fedora 17 XFCE x64, Xubuntu 12.04 LTS x64, Windows 7 64bit
HP-ProBook 5830 i3 - PC AMD Core 4
MacBookPro v10.7.4 - 2.8GHz i7 4GB RAM

Last edited by jonathonp; 2nd January 2010 at 09:31 AM.
Reply With Quote
  #12  
Old 2nd January 2010, 08:39 AM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
linuxfedorafirefox
If you are interested in security, allowing access to home directories and using an ftp server are very bad ideas. A machine used for Internet access ftp should not be used for anything else, and it should be firewalled from the rest of the inside network. Any content on the ftp machine should be considered disposable.
Reply With Quote
  #13  
Old 2nd January 2010, 09:44 AM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
You need setools-libs-python

Can you show me the actual AVC denial? The information you provided is not sufficient for me to give advise.

Also please note that the advise given above is not good advise in my view. Blindly running: audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te is a bad idea. You must be aware what exactly you allow and why.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/

Last edited by domg472; 2nd January 2010 at 09:47 AM.
Reply With Quote
  #14  
Old 2nd January 2010, 12:20 PM
jonathonp Offline
Registered User
 
Join Date: Oct 2006
Location: Melbourne
Age: 43
Posts: 532
linuxfedorafirefox
Hi domg,

This is my loglist from the 'FTP Administration' log relating to vsftpf:

Code:
Dec 30 23:03:56 localhost yum: Installed: vsftpd-2.2.0-6.fc12.x86_64
Dec 30 23:03:57 localhost yum: Installed: system-config-vsftpd-0.5.1-5.fc12.noarch
Dec 30 23:42:36 localhost python: abrt: Pyhook: Detected unhandled exception in /usr/share/system-config-vsftpd/main.py 
Jan  2 02:24:44 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:26:26 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:27:42 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:31:41 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:32:24 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:33:53 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:35:03 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:35:52 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:36:14 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:46:24 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:46:42 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:47:02 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:55:12 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:55:20 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f
Jan  2 02:55:29 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "read" access on share. For complete SELinux messages. run sealert -l 1c12686a-425e-4cab-94d3-df44073c1cdb
Jan  2 02:58:02 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "getattr" access on /media/Data/share/photos.zip. For complete SELinux messages. run sealert -l 540f6108-6384-471a-bb46-be5deb91cb50
Jan  2 11:36:28 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 11:36:45 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f
Jan  2 11:36:45 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 15:56:35 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 15:56:40 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f

Code:
Summary:

SELinux is preventing /usr/sbin/vsftpd "net_raw" access.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by vsftpd. It is not expected that this access
is required by vsftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          explore
Source RPM Packages           vsftpd-2.2.0-6.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-63.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     explore
Platform                      Linux explore 2.6.31.9-174.fc12.x86_64 #1 SMP Mon
                              Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   16
First Seen                    Sat 02 Jan 2010 02:24:42 AM EST
Last Seen                     Sat 02 Jan 2010 03:56:33 PM EST
Local ID                      cc6997eb-f522-4966-b467-603301a2a269
Line Numbers                  

Raw Audit Messages            

node=explore type=AVC msg=audit(1262408193.384:37424): avc:  denied  { net_raw } for  pid=2648 comm="vsftpd" capability=13 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

node=explore type=SYSCALL msg=audit(1262408193.384:37424): arch=c000003e syscall=56 success=yes exit=2 a0=40000011 a1=0 a2=7f6f5098984e a3=0 items=0 ppid=0 pid=2648 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

Code:
Summary:

SELinux is preventing /usr/sbin/vsftpd "getattr" access on
/media/Data/share/photos.zip

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by vsftpd. The current boolean settings do not
allow this access. If you have not setup vsftpd to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_ftpd_full_access,
ftp_home_dir

Fix Command:

Choose one of the following to allow access:
Allow ftp servers to login to local users and read/write all files on the
system, governed by DAC.
# setsebool -P allow_ftpd_full_access 1
Allow ftp to read and write files in the user home directories
# setsebool -P ftp_home_dir 1


Additional Information:

Source Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fusefs_t:s0
Target Objects                /media/Data/share/photos.zip
                               [ file ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          explore
Source RPM Packages           vsftpd-2.2.0-6.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-59.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall_boolean
Host Name                     explore
Platform                      Linux explore 2.6.31.9-174.fc12.x86_64 #1 SMP Mon
                              Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 02 Jan 2010 02:58:00 AM EST
Last Seen                     Sat 02 Jan 2010 02:58:00 AM EST
Local ID                      540f6108-6384-471a-bb46-be5deb91cb50
Line Numbers                  

Raw Audit Messages            

node=explore type=AVC msg=audit(1262361480.384:193): avc:  denied  { getattr } for  pid=6140 comm="vsftpd" path="/media/Data/share/photos.zip" dev=sda4 ino=19590 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

node=explore type=SYSCALL msg=audit(1262361480.384:193): arch=c000003e syscall=6 success=yes exit=0 a0=7f11253fefe0 a1=7f11253ff020 a2=7f11253ff020 a3=7fff1ab86bb0 items=0 ppid=1 pid=6140 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
Code:
[root@explore jonathon]# yum install setools-libs-python
Loaded plugins: downloadonly, presto, refresh-packagekit
Setting up Install Process
Package setools-libs-python-3.3.6-4.fc12.x86_64 already installed and latest version
Not sure exactly what info you need. Just let me know and i will post it.
__________________
http://poppleit.com/

Fedora 17 XFCE x64, Xubuntu 12.04 LTS x64, Windows 7 64bit
HP-ProBook 5830 i3 - PC AMD Core 4
MacBookPro v10.7.4 - 2.8GHz i7 4GB RAM

Last edited by jonathonp; 2nd January 2010 at 01:05 PM.
Reply With Quote
  #15  
Old 2nd January 2010, 01:05 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
I am not sure why it needs the net_raw capability but a bug report for this is already submitted:

https://bugzilla.redhat.com/show_bug.cgi?id=547339
https://bugzilla.redhat.com/show_bug.cgi?id=550657

Description of net_raw capability:
Code:
CAP_NET_RAW
	Allow use of RAW sockets;
	Allow use of PACKET sockets.
As for the dac_override:
Code:
CAP_DAC_OVERRIDE
	Override all DAC access, including ACL execute access 
	if [_POSIX_ACL] is defined. 
	Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
This is probably related to you using ftpd home dirs. Looks like vsftpd needs to override some traditional Linux security settings.

Make sure that you have configured vsftpd properly. If you are positive that vsftpd needs this access then consider a bug report.

To temporarily allow these capabilities to ftpd_t domain:
Code:
echo "policy_module(myftpd, 1.0.0)" > myftpd.te;
echo "optional_policy(\`" >> myftpd.te;
echo "gen_require(\`" >> myftpd.te;
echo "type ftpd_t;" >> myftpd.te;
echo "')" >> myftpd.te;
echo "allow ftpd_t self:capability { dac_override net_raw };" >> myftpd.te;
echo "')" >> myftpd.te;
make -f /usr/share/selinux/devel/Makefile myftpd.pp
sudo semodule -i myftpd.pp
To undo:
Code:
sudo semodule -r myftpd
Again, make sure that vsftpd is configured properly and that your traditional security settings are configured correctly (chown/chmod/setfacl)
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/

Last edited by domg472; 2nd January 2010 at 01:08 PM.
Reply With Quote
Reply

Tags
access, netraw, or usr or sbin or vsftpd, preventing, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux alert-> preventing /bin/bash "write" access to /var/lib/misc/prelink.quick antonyna Security and Privacy 7 17th December 2009 05:37 PM
SELinux is preventing iptables (iptables_t) "read write" fail2ban_t. Thaidog Security and Privacy 0 19th November 2009 07:39 AM
SELinux is preventing /usr/bin/xauth "write" access on /var/lib/nxserver/home Peter_O Fedora 12 Alpha, Beta & Release Candidates 8 14th November 2009 12:36 PM
SELinux is preventing iptables (iptables_t) "read write" unconfined_t. mikequest Security and Privacy 2 13th November 2009 09:31 AM
Should I be worried: SELinux is preventing sshd (sshd_t) "search" crond_t pza Security and Privacy 1 27th January 2009 09:43 AM


Current GMT-time: 05:24 (Tuesday, 21-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Santa Lucia Cotzumalguapa Photos - Bishkek Travel Photos on Instagram - Saraburi