SELinux is preventing /usr/sbin/vsftpd "net_raw" access
FedoraForum.org - Fedora Support Forums and Community
Page 1 of 3 1 2 3 LastLast
Results 1 to 15 of 33
  1. #1
    Join Date
    Jul 2009
    Posts
    33
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    SELinux is preventing /usr/sbin/vsftpd "net_raw" access

    Hi Friends,
    I receive the message "SELinux is preventing /usr/sbin/vsftpd "net_raw" access" many times. Found this bug at redhat but really do not understand what i should do about it ((( Kindly let me know how to change this to normal. Shut down Selinux is not the way out. Thank you very much.

  2. #2
    Join Date
    May 2004
    Location
    NJ
    Posts
    913
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You'll need to create a local policy to allow the access. First, make sure you have the necessary packages installed (all the following as root):

    Code:
    yum install selinux-policy-targeted policycoreutils libselinux selinux-policy libselinux-python libselinux-devel policycoreutils-python libselinux policycoreutils-gui libselinux-utils policycoreutils-sandbox checkpolicy
    Then, reload policy to get a clean start for audit2allow, and set permissive mode to collect all required authorizations:

    Code:
    semodule -R
    setenforce 0
    Now recreate the situation that causes the audit (stop/start vsftpd, transfer files, etc.). Once the audits have appeared, create a local policy using audit2allow:

    Code:
    mkdir /etc/local-selinux-policy
    audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
    You can examine the policy created (/etc/local-selinux-policy/local001.te), and then load it with:

    Code:
    cd /etc/local-selinux-policy/
    checkmodule -M -m -o local001.mod local001.te
    semodule_package -o local001.pp -m local001.mod
    semodule -i local001.pp
    Finally, you can re-enable enforcing mode:

    Code:
    setenforce 1
    You can repeat this process (incrementing the file name: local002, local003, etc.) for future authorizations that you need to make.
    Last edited by macemoneta; 1st January 2010 at 12:03 AM.

  3. #3
    Join Date
    Oct 2006
    Location
    Melbourne
    Age
    48
    Posts
    585
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm using fedora 12 x86_64 and i am receiving the same error when i login to vsftpd to test the connection. How do i fix this:

    Code:
    SELinux is preventing /usr/sbin/vsftpd "net_raw" access.

    Code:
     audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
    Traceback (most recent call last):
      File "/usr/bin/audit2allow", line 24, in <module>
        import sepolgen.policygen as policygen
      File "/usr/lib64/python2.6/site-packages/sepolgen/policygen.py", line 33, in <module>
        from setools import *
    ImportError: No module named setools
    Code:
    Package setools-3.3.6-4.fc12.x86_64 already installed and latest version
    Bug is here https://bugzilla.redhat.com/show_bug.cgi?id=550657
    Last edited by jonathonp; 2nd January 2010 at 02:21 AM.
    PC CPU 3.60 Gigahertz Intel Core i7-4790, Motherboard Gigabyte H97M-D3H RAM: 32GB: Fedora 28 MATE x64, KDE Neon, UbuntuMate
    Asus Zenbook UX305CA: Fedora 28 Mate

  4. #4
    Join Date
    May 2004
    Location
    NJ
    Posts
    913
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You'll need to update to the testing version of the tools, as it looks like they broke the policy generation tools in the last push:

    Code:
    yum --enablerepo=updates-testing install selinux-policy-targeted policycoreutils libselinux selinux-policy libselinux-python libselinux-devel policycoreutils-python libselinux policycoreutils-gui libselinux-utils policycoreutils-sandbox checkpolicy

  5. #5
    Join Date
    Oct 2006
    Location
    Melbourne
    Age
    48
    Posts
    585
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi macemoneta. Unfortunately it's still broken after updating.
    PC CPU 3.60 Gigahertz Intel Core i7-4790, Motherboard Gigabyte H97M-D3H RAM: 32GB: Fedora 28 MATE x64, KDE Neon, UbuntuMate
    Asus Zenbook UX305CA: Fedora 28 Mate

  6. #6
    Join Date
    May 2004
    Location
    NJ
    Posts
    913
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have policycoreutils-python-2.0.78-6.fc12.x86_64 (which includes audit2allow). What version are you using? If you need a different version, you can get it from koji, the Fedora build system.

    ---------- Post added at 10:52 PM CST ---------- Previous post was at 10:47 PM CST ----------

    I think I found the problem you're having.

  7. #7
    Join Date
    Oct 2006
    Location
    Melbourne
    Age
    48
    Posts
    585
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi macemoneta. This is what i have done so far:

    i downloaded policycoreutils-python-2.0.78-6.fc12.x86_64 and dependencies from the koji website.
    Next i created a local repository to install them:
    Code:
    gedit /etc/yum.repos.d/koji.repo
    Code:
    [koji]
    name=Fedora 12 - x86_64 - Just Born
    baseurl=file:///path-to-local-repo-koji
    enabled=1
    gpgcheck=0
    Code:
    yum install policycoreutils-python-2.0.78-6.fc12.x86_64
    Example:
    Code:
    Dependency Installed:
      setools-libs-python.x86_64 0:3.3.6-4.fc12                                     
    Updated:
      policycoreutils-python.x86_64 0:2.0.78-6.fc12                                 
    Dependency Updated:
      policycoreutils.x86_64 0:2.0.78-6.fc12                                        
      policycoreutils-gui.x86_64 0:2.0.78-6.fc12                                    
      policycoreutils-sandbox.x86_64 0:2.0.78-6.fc12
    Then i followed u initial instructions:
    Code:
    [root@explore jonathon]# semodule -R
    [root@explore jonathon]# setenforce 0
    [root@explore jonathon]# mkdir /etc/local-selinux-policy
    [root@explore local-selinux-policy]# audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te
    [root@explore local-selinux-policy]# cd /etc/local-selinux-policy/
    [root@explore local-selinux-policy]# checkmodule -M -m -o local001.mod local001.te
    checkmodule:  loading policy configuration from local001.te
    checkmodule:  policy configuration loaded
    checkmodule:  writing binary representation (version 10) to local001.mod
    [root@explore local-selinux-policy]# semodule_package -o local001.pp -m local001.mod
    [root@explore local-selinux-policy]# semodule -i local001.pp
    [root@explore local-selinux-policy]# setenforce 1
    When i start VSFTP with selinux enabled i get the following:
    Code:
    [jonathon@explore ~]$ ftp localhost
    Trying ::1...
    ftp: connect to address ::1Connection refused
    Trying 127.0.0.1...
    Connected to localhost (127.0.0.1).
    220 (vsFTPd 2.2.0)
    Name (localhost:jonathon): jonathon
    331 Please specify the password.
    Password:
    500 OOPS: cannot change directory:/home/jonathon
    Login failed.
    ftp>
    If i disable selinux i get:
    Code:
    [jonathon@explore ~]$ ftp localhost
    Trying ::1...
    ftp: connect to address ::1Connection refused
    Trying 127.0.0.1...
    Connected to localhost (127.0.0.1).
    220 (vsFTPd 2.2.0)
    Name (localhost:jonathon): jonathon
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp>
    After all my research into ftp clients and servers I'm still new with ftp and the 'Very Secure FTP Daemon' and getting things set-up.

    I no longer receive any selinux errors so i guess that is progress. Maybe the policy needs to be refined?
    Last edited by jonathonp; 2nd January 2010 at 06:57 AM.
    PC CPU 3.60 Gigahertz Intel Core i7-4790, Motherboard Gigabyte H97M-D3H RAM: 32GB: Fedora 28 MATE x64, KDE Neon, UbuntuMate
    Asus Zenbook UX305CA: Fedora 28 Mate

  8. #8
    Join Date
    May 2004
    Location
    NJ
    Posts
    913
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did you run that same sequence before creating the policy with audit2allow? If not, you need to create a second local policy. If so, then you probably need to allow ftp access to home directories (as root):

    Code:
    setsebool -P ftp_home_dir on
    You can see the available booleans for selinux with:

    Code:
    getsebool -a | less

  9. #9
    Join Date
    Oct 2006
    Location
    Melbourne
    Age
    48
    Posts
    585
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did the trick:

    Code:
    [root@explore jonathon]# setsebool -P ftp_home_dir on
    [root@explore jonathon]# setenforce 1
    Code:
    [jonathon@explore ~]$ ftp localhost
    Trying ::1...
    ftp: connect to address ::1Connection refused
    Trying 127.0.0.1...
    Connected to localhost (127.0.0.1).
    220 (vsFTPd 2.2.0)
    Name (localhost:jonathon): jonathon
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp>
    Code:
    getsebool -a | less
    is very helpful info with regard to selinux.

    What does this

    Code:
    Trying ::1...
    ftp: connect to address ::1Connection refused
    exactly mean?

    Thanks for u help.
    Last edited by jonathonp; 2nd January 2010 at 08:45 AM.
    PC CPU 3.60 Gigahertz Intel Core i7-4790, Motherboard Gigabyte H97M-D3H RAM: 32GB: Fedora 28 MATE x64, KDE Neon, UbuntuMate
    Asus Zenbook UX305CA: Fedora 28 Mate

  10. #10
    Join Date
    May 2004
    Location
    NJ
    Posts
    913
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The loopback address on an IPv6 network is 0:0:0:0:0:0:0:1 which is abbreviated as ::1.

    So the message is saying it tried the ipv6 loopback address of localhost, then the ipv4 loopback address of localhost.

    ---------- Post added at 03:06 AM CST ---------- Previous post was at 02:53 AM CST ----------

    By the way, Fedora has pretty good selinux documentation if you are going to be using and administering it: here.

  11. #11
    Join Date
    Oct 2006
    Location
    Melbourne
    Age
    48
    Posts
    585
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One thing i am concerned about is creating a username and making it available for ftp access when my fstab file allows all data partitions to start on boot.

    Example:
    Code:
    /dev/sda2       /media/Data     ntfs-3g    defaults.umask=000 0 0
    As far as i remember I can't create file permissions with the ntfs format so i'm not sure about whether to have a partition that is allocated for file sharing that is formatted in ext3 or 4 or just leave it in ntfs-3g.

    Can a windows user using a ftp client read linux format?

    I noticed in "System.Administration>Ftp Administration>Users>Specify the directory vsftpd changes to after a local user logs in"

    that this option wasn't listed in the default /etc/vsftpd/vsftpd.conf when i printed it out and studied it. Hopefully i will find its location sometime soon.

    Does a user name (for ftp public access only) with the /sbin/nolgin option provide a more secure approach?
    Last edited by jonathonp; 2nd January 2010 at 10:31 AM.
    PC CPU 3.60 Gigahertz Intel Core i7-4790, Motherboard Gigabyte H97M-D3H RAM: 32GB: Fedora 28 MATE x64, KDE Neon, UbuntuMate
    Asus Zenbook UX305CA: Fedora 28 Mate

  12. #12
    Join Date
    May 2004
    Location
    NJ
    Posts
    913
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you are interested in security, allowing access to home directories and using an ftp server are very bad ideas. A machine used for Internet access ftp should not be used for anything else, and it should be firewalled from the rest of the inside network. Any content on the ftp machine should be considered disposable.

  13. #13
    Join Date
    May 2008
    Posts
    623
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need setools-libs-python

    Can you show me the actual AVC denial? The information you provided is not sufficient for me to give advise.

    Also please note that the advise given above is not good advise in my view. Blindly running: audit2allow -l -a -m local001 > /etc/local-selinux-policy/local001.te is a bad idea. You must be aware what exactly you allow and why.
    Last edited by domg472; 2nd January 2010 at 10:47 AM.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  14. #14
    Join Date
    Oct 2006
    Location
    Melbourne
    Age
    48
    Posts
    585
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi domg,

    This is my loglist from the 'FTP Administration' log relating to vsftpf:

    Code:
    Dec 30 23:03:56 localhost yum: Installed: vsftpd-2.2.0-6.fc12.x86_64
    Dec 30 23:03:57 localhost yum: Installed: system-config-vsftpd-0.5.1-5.fc12.noarch
    Dec 30 23:42:36 localhost python: abrt: Pyhook: Detected unhandled exception in /usr/share/system-config-vsftpd/main.py 
    Jan  2 02:24:44 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:26:26 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:27:42 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:31:41 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:32:24 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:33:53 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:35:03 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:35:52 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:36:14 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:46:24 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:46:42 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:47:02 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:55:12 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 02:55:20 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f
    Jan  2 02:55:29 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "read" access on share. For complete SELinux messages. run sealert -l 1c12686a-425e-4cab-94d3-df44073c1cdb
    Jan  2 02:58:02 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "getattr" access on /media/Data/share/photos.zip. For complete SELinux messages. run sealert -l 540f6108-6384-471a-bb46-be5deb91cb50
    Jan  2 11:36:28 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 11:36:45 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f
    Jan  2 11:36:45 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 15:56:35 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "net_raw" access. For complete SELinux messages. run sealert -l cc6997eb-f522-4966-b467-603301a2a269
    Jan  2 15:56:40 explore setroubleshoot: SELinux is preventing /usr/sbin/vsftpd "dac_override" access on <Unknown>. For complete SELinux messages. run sealert -l aad9588e-f14a-4654-8960-6b20d229249f

    Code:
    Summary:
    
    SELinux is preventing /usr/sbin/vsftpd "net_raw" access.
    
    Detailed Description:
    
    [SELinux is in permissive mode. This access was not denied.]
    
    SELinux denied access requested by vsftpd. It is not expected that this access
    is required by vsftpd and this access may signal an intrusion attempt. It is
    also possible that the specific version or configuration of the application is
    causing it to require additional access.
    
    Allowing Access:
    
    You can generate a local policy module to allow this access - see FAQ
    (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
    report.
    
    Additional Information:
    
    Source Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
    Target Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
    Target Objects                None [ capability ]
    Source                        vsftpd
    Source Path                   /usr/sbin/vsftpd
    Port                          <Unknown>
    Host                          explore
    Source RPM Packages           vsftpd-2.2.0-6.fc12
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.6.32-63.fc12
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Plugin Name                   catchall
    Host Name                     explore
    Platform                      Linux explore 2.6.31.9-174.fc12.x86_64 #1 SMP Mon
                                  Dec 21 05:33:33 UTC 2009 x86_64 x86_64
    Alert Count                   16
    First Seen                    Sat 02 Jan 2010 02:24:42 AM EST
    Last Seen                     Sat 02 Jan 2010 03:56:33 PM EST
    Local ID                      cc6997eb-f522-4966-b467-603301a2a269
    Line Numbers                  
    
    Raw Audit Messages            
    
    node=explore type=AVC msg=audit(1262408193.384:37424): avc:  denied  { net_raw } for  pid=2648 comm="vsftpd" capability=13 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
    
    node=explore type=SYSCALL msg=audit(1262408193.384:37424): arch=c000003e syscall=56 success=yes exit=2 a0=40000011 a1=0 a2=7f6f5098984e a3=0 items=0 ppid=0 pid=2648 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

    Code:
    Summary:
    
    SELinux is preventing /usr/sbin/vsftpd "getattr" access on
    /media/Data/share/photos.zip
    
    Detailed Description:
    
    [SELinux is in permissive mode. This access was not denied.]
    
    SELinux denied access requested by vsftpd. The current boolean settings do not
    allow this access. If you have not setup vsftpd to require this access this may
    signal an intrusion attempt. If you do intend this access you need to change the
    booleans on this system to allow the access.
    
    Allowing Access:
    
    One of the following booleans is set incorrectly: allow_ftpd_full_access,
    ftp_home_dir
    
    Fix Command:
    
    Choose one of the following to allow access:
    Allow ftp servers to login to local users and read/write all files on the
    system, governed by DAC.
    # setsebool -P allow_ftpd_full_access 1
    Allow ftp to read and write files in the user home directories
    # setsebool -P ftp_home_dir 1
    
    
    Additional Information:
    
    Source Context                unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023
    Target Context                system_u:object_r:fusefs_t:s0
    Target Objects                /media/Data/share/photos.zip
                                   [ file ]
    Source                        vsftpd
    Source Path                   /usr/sbin/vsftpd
    Port                          <Unknown>
    Host                          explore
    Source RPM Packages           vsftpd-2.2.0-6.fc12
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.6.32-59.fc12
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Permissive
    Plugin Name                   catchall_boolean
    Host Name                     explore
    Platform                      Linux explore 2.6.31.9-174.fc12.x86_64 #1 SMP Mon
                                  Dec 21 05:33:33 UTC 2009 x86_64 x86_64
    Alert Count                   1
    First Seen                    Sat 02 Jan 2010 02:58:00 AM EST
    Last Seen                     Sat 02 Jan 2010 02:58:00 AM EST
    Local ID                      540f6108-6384-471a-bb46-be5deb91cb50
    Line Numbers                  
    
    Raw Audit Messages            
    
    node=explore type=AVC msg=audit(1262361480.384:193): avc:  denied  { getattr } for  pid=6140 comm="vsftpd" path="/media/Data/share/photos.zip" dev=sda4 ino=19590 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
    
    node=explore type=SYSCALL msg=audit(1262361480.384:193): arch=c000003e syscall=6 success=yes exit=0 a0=7f11253fefe0 a1=7f11253ff020 a2=7f11253ff020 a3=7fff1ab86bb0 items=0 ppid=1 pid=6140 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
    Code:
    [root@explore jonathon]# yum install setools-libs-python
    Loaded plugins: downloadonly, presto, refresh-packagekit
    Setting up Install Process
    Package setools-libs-python-3.3.6-4.fc12.x86_64 already installed and latest version
    Not sure exactly what info you need. Just let me know and i will post it.
    Last edited by jonathonp; 2nd January 2010 at 02:05 PM.
    PC CPU 3.60 Gigahertz Intel Core i7-4790, Motherboard Gigabyte H97M-D3H RAM: 32GB: Fedora 28 MATE x64, KDE Neon, UbuntuMate
    Asus Zenbook UX305CA: Fedora 28 Mate

  15. #15
    Join Date
    May 2008
    Posts
    623
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am not sure why it needs the net_raw capability but a bug report for this is already submitted:

    https://bugzilla.redhat.com/show_bug.cgi?id=547339
    https://bugzilla.redhat.com/show_bug.cgi?id=550657

    Description of net_raw capability:
    Code:
    CAP_NET_RAW
    	Allow use of RAW sockets;
    	Allow use of PACKET sockets.
    As for the dac_override:
    Code:
    CAP_DAC_OVERRIDE
    	Override all DAC access, including ACL execute access 
    	if [_POSIX_ACL] is defined. 
    	Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
    This is probably related to you using ftpd home dirs. Looks like vsftpd needs to override some traditional Linux security settings.

    Make sure that you have configured vsftpd properly. If you are positive that vsftpd needs this access then consider a bug report.

    To temporarily allow these capabilities to ftpd_t domain:
    Code:
    echo "policy_module(myftpd, 1.0.0)" > myftpd.te;
    echo "optional_policy(\`" >> myftpd.te;
    echo "gen_require(\`" >> myftpd.te;
    echo "type ftpd_t;" >> myftpd.te;
    echo "')" >> myftpd.te;
    echo "allow ftpd_t self:capability { dac_override net_raw };" >> myftpd.te;
    echo "')" >> myftpd.te;
    make -f /usr/share/selinux/devel/Makefile myftpd.pp
    sudo semodule -i myftpd.pp
    To undo:
    Code:
    sudo semodule -r myftpd
    Again, make sure that vsftpd is configured properly and that your traditional security settings are configured correctly (chown/chmod/setfacl)
    Last edited by domg472; 2nd January 2010 at 02:08 PM.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

Page 1 of 3 1 2 3 LastLast

Similar Threads

  1. Replies: 7
    Last Post: 17th December 2009, 06:37 PM
  2. Replies: 0
    Last Post: 19th November 2009, 08:39 AM
  3. SELinux is preventing /usr/bin/xauth "write" access on /var/lib/nxserver/home
    By Peter_O in forum Fedora 12 Alpha, Beta & Release Candidates
    Replies: 8
    Last Post: 14th November 2009, 01:36 PM
  4. Replies: 2
    Last Post: 13th November 2009, 10:31 AM
  5. Replies: 1
    Last Post: 27th January 2009, 10:43 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •