SELinux is preventing /usr/sbin/vsftpd "net_raw" access

salex · #1 31st December 2009, 08:59 PM

Hi Friends,
I receive the message "SELinux is preventing /usr/sbin/vsftpd "net_raw" access" many times. Found this bug at redhat but really do not understand what i should do about it ((( Kindly let me know how to change this to normal. Shut down Selinux is not the way out. Thank you very much.

macemoneta · #2 31st December 2009, 11:01 PM

You'll need to create a local policy to allow the access. First, make sure you have the necessary packages installed (all the following as root):

Code:

yum install selinux-policy-targeted policycoreutils libselinux selinux-policy libselinux-python libselinux-devel policycoreutils-python libselinux policycoreutils-gui libselinux-utils policycoreutils-sandbox checkpolicy

Then, reload policy to get a clean start for audit2allow, and set permissive mode to collect all required authorizations:

Code:

semodule -R
setenforce 0

Now recreate the situation that causes the audit (stop/start vsftpd, transfer files, etc.). Once the audits have appeared, create a local policy using audit2allow:

Code:

mkdir /etc/local-selinux-policy
audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te

You can examine the policy created (/etc/local-selinux-policy/local001.te), and then load it with:

Code:

cd /etc/local-selinux-policy/
checkmodule -M -m -o local001.mod local001.te
semodule_package -o local001.pp -m local001.mod
semodule -i local001.pp

Finally, you can re-enable enforcing mode:

Code:

setenforce 1

You can repeat this process (incrementing the file name: local002, local003, etc.) for future authorizations that you need to make.

jonathonp · #3 2nd January 2010, 12:40 AM

I'm using fedora 12 x86_64 and i am receiving the same error when i login to vsftpd to test the connection. How do i fix this:

Code:

SELinux is preventing /usr/sbin/vsftpd "net_raw" access.

Code:

 audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 24, in <module>
    import sepolgen.policygen as policygen
  File "/usr/lib64/python2.6/site-packages/sepolgen/policygen.py", line 33, in <module>
    from setools import *
ImportError: No module named setools

Code:

Package setools-3.3.6-4.fc12.x86_64 already installed and latest version

Bug is here https://bugzilla.redhat.com/show_bug.cgi?id=550657

macemoneta · #4 2nd January 2010, 12:58 AM

You'll need to update to the testing version of the tools, as it looks like they broke the policy generation tools in the last push:

Code:

yum --enablerepo=updates-testing install selinux-policy-targeted policycoreutils libselinux selinux-policy libselinux-python libselinux-devel policycoreutils-python libselinux policycoreutils-gui libselinux-utils policycoreutils-sandbox checkpolicy

jonathonp · #5 2nd January 2010, 03:28 AM

Hi macemoneta. Unfortunately it's still broken after updating.

macemoneta · #6 2nd January 2010, 03:52 AM

I have policycoreutils-python-2.0.78-6.fc12.x86_64 (which includes audit2allow). What version are you using? If you need a different version, you can get it from koji, the Fedora build system.

---------- Post added at 10:52 PM CST ---------- Previous post was at 10:47 PM CST ----------

I think I found the problem you're having.

jonathonp · #7 2nd January 2010, 05:53 AM

Hi macemoneta. This is what i have done so far:

i downloaded policycoreutils-python-2.0.78-6.fc12.x86_64 and dependencies from the koji website.
Next i created a local repository to install them:

Code:

gedit /etc/yum.repos.d/koji.repo

Code:

[koji]
name=Fedora 12 - x86_64 - Just Born
baseurl=file:///path-to-local-repo-koji
enabled=1
gpgcheck=0

Code:

yum install policycoreutils-python-2.0.78-6.fc12.x86_64

Example:

Code:

Dependency Installed:
  setools-libs-python.x86_64 0:3.3.6-4.fc12                                     
Updated:
  policycoreutils-python.x86_64 0:2.0.78-6.fc12                                 
Dependency Updated:
  policycoreutils.x86_64 0:2.0.78-6.fc12                                        
  policycoreutils-gui.x86_64 0:2.0.78-6.fc12                                    
  policycoreutils-sandbox.x86_64 0:2.0.78-6.fc12

Then i followed u initial instructions:

Code:

[root@explore jonathon]# semodule -R
[root@explore jonathon]# setenforce 0
[root@explore jonathon]# mkdir /etc/local-selinux-policy
[root@explore local-selinux-policy]# audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
[root@explore local-selinux-policy]# cd /etc/local-selinux-policy/
[root@explore local-selinux-policy]# checkmodule -M -m -o local001.mod local001.te
checkmodule:  loading policy configuration from local001.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 10) to local001.mod
[root@explore local-selinux-policy]# semodule_package -o local001.pp -m local001.mod
[root@explore local-selinux-policy]# semodule -i local001.pp
[root@explore local-selinux-policy]# setenforce 1

When i start VSFTP with selinux enabled i get the following:

Code:

[jonathon@explore ~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.0)
Name (localhost:jonathon): jonathon
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/jonathon
Login failed.
ftp>

If i disable selinux i get:

Code:

[jonathon@explore ~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.0)
Name (localhost:jonathon): jonathon
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

After all my research into ftp clients and servers I'm still new with ftp and the 'Very Secure FTP Daemon' and getting things set-up.

I no longer receive any selinux errors so i guess that is progress. Maybe the policy needs to be refined?

macemoneta · #8 2nd January 2010, 06:02 AM

Did you run that same sequence before creating the policy with audit2allow? If not, you need to create a second local policy. If so, then you probably need to allow ftp access to home directories (as root):

Code:

setsebool -P ftp_home_dir on

You can see the available booleans for selinux with:

Code:

getsebool -a | less

jonathonp · #9 2nd January 2010, 07:43 AM

Did the trick:

Code:

[root@explore jonathon]# setsebool -P ftp_home_dir on
[root@explore jonathon]# setenforce 1

Code:

[jonathon@explore ~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.0)
Name (localhost:jonathon): jonathon
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Code:

getsebool -a | less

is very helpful info with regard to selinux.

What does this

Code:

Trying ::1...
ftp: connect to address ::1Connection refused

exactly mean?

Thanks for u help.

macemoneta · #10 2nd January 2010, 08:06 AM

The loopback address on an IPv6 network is 0:0:0:0:0:0:0:1 which is abbreviated as ::1.

So the message is saying it tried the ipv6 loopback address of localhost, then the ipv4 loopback address of localhost.

---------- Post added at 03:06 AM CST ---------- Previous post was at 02:53 AM CST ----------

By the way, Fedora has pretty good selinux documentation if you are going to be using and administering it: here.

jonathonp · #11 2nd January 2010, 08:29 AM

One thing i am concerned about is creating a username and making it available for ftp access when my fstab file allows all data partitions to start on boot.

Example:

Code:

/dev/sda2       /media/Data     ntfs-3g    defaults.umask=000 0 0

As far as i remember I can't create file permissions with the ntfs format so i'm not sure about whether to have a partition that is allocated for file sharing that is formatted in ext3 or 4 or just leave it in ntfs-3g.

Can a windows user using a ftp client read linux format?

I noticed in "System.Administration>Ftp Administration>Users>Specify the directory vsftpd changes to after a local user logs in"

that this option wasn't listed in the default /etc/vsftpd/vsftpd.conf when i printed it out and studied it. Hopefully i will find its location sometime soon.

Does a user name (for ftp public access only) with the /sbin/nolgin option provide a more secure approach?

macemoneta · #12 2nd January 2010, 08:39 AM

If you are interested in security, allowing access to home directories and using an ftp server are very bad ideas. A machine used for Internet access ftp should not be used for anything else, and it should be firewalled from the rest of the inside network. Any content on the ftp machine should be considered disposable.

domg472 · #13 2nd January 2010, 09:44 AM

You need setools-libs-python

Can you show me the actual AVC denial? The information you provided is not sufficient for me to give advise.

Also please note that the advise given above is not good advise in my view. Blindly running: audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te is a bad idea. You must be aware what exactly you allow and why.

jonathonp · #14 2nd January 2010, 12:20 PM

Hi domg,

This is my loglist from the 'FTP Administration' log relating to vsftpf:

Code:

Dec 30 23:03:56 localhost yum: Installed: vsftpd-2.2.0-6.fc12.x86_64
Dec 30 23:03:57 localhost yum: Installed: system-config-vsftpd-0.5.1-5.fc12.noarch
Dec 30 23:42:36 localhost python: abrt: Pyhook: Detected unhandled exception in /usr/share/system-config-vsftpd/main.py 
Jan  2 02:24:44 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:26:26 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:27:42 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:31:41 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:32:24 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:33:53 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:35:03 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:35:52 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:36:14 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:46:24 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:46:42 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:47:02 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:55:12 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 02:55:20 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f
Jan  2 02:55:29 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "read" access on share. For complete SELinux messages. run sealert -l 1c12686a-425e-4cab-94d3-df44073c1cdb
Jan  2 02:58:02 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "getattr" access on /media/Data/share/photos.zip. For complete SELinux messages. run sealert -l 540f6108-6384-471a-bb46-be5deb91cb50
Jan  2 11:36:28 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 11:36:45 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f
Jan  2 11:36:45 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 15:56:35 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
Jan  2 15:56:40 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f

Code:

Summary:

SELinux is preventing /usr/sbin/vsftpd "net_raw" access.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by vsftpd. It is not expected that this access
is required by vsftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          explore
Source RPM Packages           vsftpd-2.2.0-6.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-63.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     explore
Platform                      Linux explore 2.6.31.9-174.fc12.x86_64 #1 SMP Mon
                              Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   16
First Seen                    Sat 02 Jan 2010 02:24:42 AM EST
Last Seen                     Sat 02 Jan 2010 03:56:33 PM EST
Local ID                      cc6997eb-f522-4966-b467-603301a2a269
Line Numbers                  

Raw Audit Messages            

node=explore type=AVC msg=audit(1262408193.384:37424): avc:  denied  { net_raw } for  pid=2648 comm="vsftpd" capability=13 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

node=explore type=SYSCALL msg=audit(1262408193.384:37424): arch=c000003e syscall=56 success=yes exit=2 a0=40000011 a1=0 a2=7f6f5098984e a3=0 items=0 ppid=0 pid=2648 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

Code:

Summary:

SELinux is preventing /usr/sbin/vsftpd "getattr" access on
/media/Data/share/photos.zip

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by vsftpd. The current boolean settings do not
allow this access. If you have not setup vsftpd to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_ftpd_full_access,
ftp_home_dir

Fix Command:

Choose one of the following to allow access:
Allow ftp servers to login to local users and read/write all files on the
system, governed by DAC.
# setsebool -P allow_ftpd_full_access 1
Allow ftp to read and write files in the user home directories
# setsebool -P ftp_home_dir 1


Additional Information:

Source Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fusefs_t:s0
Target Objects                /media/Data/share/photos.zip
                               [ file ]
Source                        vsftpd
Source Path                   /usr/sbin/vsftpd
Port                          <Unknown>
Host                          explore
Source RPM Packages           vsftpd-2.2.0-6.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-59.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall_boolean
Host Name                     explore
Platform                      Linux explore 2.6.31.9-174.fc12.x86_64 #1 SMP Mon
                              Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 02 Jan 2010 02:58:00 AM EST
Last Seen                     Sat 02 Jan 2010 02:58:00 AM EST
Local ID                      540f6108-6384-471a-bb46-be5deb91cb50
Line Numbers                  

Raw Audit Messages            

node=explore type=AVC msg=audit(1262361480.384:193): avc:  denied  { getattr } for  pid=6140 comm="vsftpd" path="/media/Data/share/photos.zip" dev=sda4 ino=19590 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

node=explore type=SYSCALL msg=audit(1262361480.384:193): arch=c000003e syscall=6 success=yes exit=0 a0=7f11253fefe0 a1=7f11253ff020 a2=7f11253ff020 a3=7fff1ab86bb0 items=0 ppid=1 pid=6140 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

Code:

[root@explore jonathon]# yum install setools-libs-python
Loaded plugins: downloadonly, presto, refresh-packagekit
Setting up Install Process
Package setools-libs-python-3.3.6-4.fc12.x86_64 already installed and latest version

Not sure exactly what info you need. Just let me know and i will post it.

domg472 · #15 2nd January 2010, 01:05 PM

I am not sure why it needs the net_raw capability but a bug report for this is already submitted:

https://bugzilla.redhat.com/show_bug.cgi?id=547339
https://bugzilla.redhat.com/show_bug.cgi?id=550657

Description of net_raw capability:

Code:

CAP_NET_RAW
	Allow use of RAW sockets;
	Allow use of PACKET sockets.

As for the dac_override:

Code:

CAP_DAC_OVERRIDE
	Override all DAC access, including ACL execute access 
	if [_POSIX_ACL] is defined. 
	Excluding DAC access covered by CAP_LINUX_IMMUTABLE.

This is probably related to you using ftpd home dirs. Looks like vsftpd needs to override some traditional Linux security settings.

Make sure that you have configured vsftpd properly. If you are positive that vsftpd needs this access then consider a bug report.

To temporarily allow these capabilities to ftpd_t domain:

Code:

echo "policy_module(myftpd, 1.0.0)" > myftpd.te;
echo "optional_policy(\`" >> myftpd.te;
echo "gen_require(\`" >> myftpd.te;
echo "type ftpd_t;" >> myftpd.te;
echo "')" >> myftpd.te;
echo "allow ftpd_t self:capability { dac_override net_raw };" >> myftpd.te;
echo "')" >> myftpd.te;
make -f /usr/share/selinux/devel/Makefile myftpd.pp
sudo semodule -i myftpd.pp

To undo:

Code:

sudo semodule -r myftpd

Again, make sure that vsftpd is configured properly and that your traditional security settings are configured correctly (chown/chmod/setfacl)