vsftpd with SELinux

vsftpd with SELinux

[James R. Marcus]

I just emerged vsftpd on my new Hardened Gentoo system running the
SELinux kernel.  I think I have configured it correctly but keep running
into this issue:

ftp> ope 10.1.5.12
Connected to 10.1.5.12.
220 (vsFTPd 1.2.2)
User (10.1.5.12:(none)): jmarcus
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
500 OOPS: capset
200 PORT command successful. Consider using PASV.
500 OOPS: vsf_sysutil_recv_peek
Connection closed by remote host.
ftp> quit

Here is my vsftpd config:
ftp init.d # cat /etc/vsftpd/vsftpd.conf | grep -v '#'

anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
nopriv_user=nobody
background=YES
listen=YES

Any help or pointers would be greatly appreciated.


Thanks,
James



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: vsftpd with SELinux

[Russell Coker]

On Tue, 13 Jul 2004 11:49, "James R. Marcus" <jmarcus@mvalent.net> wrote:
> I just emerged vsftpd on my new Hardened Gentoo system running the
> SELinux kernel.  I think I have configured it correctly but keep running
> into this issue:

What AVC messages do you get in the kernel message log?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: vsftpd with SELinux

[James R. Marcus]

That's kind of the problem I tail the messages file and don't get an AVC
message.  I'll double check though.

James

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au] 
Sent: Monday, July 12, 2004 11:42 PM
To: James R. Marcus
Cc: selinux@tycho.nsa.gov
Subject: Re: vsftpd with SELinux

On Tue, 13 Jul 2004 11:49, "James R. Marcus" <jmarcus@mvalent.net>
wrote:
> I just emerged vsftpd on my new Hardened Gentoo system running the
> SELinux kernel.  I think I have configured it correctly but keep
running
> into this issue:

What AVC messages do you get in the kernel message log?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: vsftpd with SELinux

[James R. Marcus]

I feel kind of silly now but here are a bunch of AVC messages.

Thanks,
James
Jul  6 15:40:19 ftp rc-scripts: /etc/vsftpd/vsftpd.conf must contain
background=YES and listen=YES
Jul  6 15:40:19 ftp rc-scripts: in order to start vsftpd from
/etc/init.d/vsftpd
Jul  6 15:58:42 ftp xinetd[21671]: Reading included configuration file:
/etc/xinetd.d/vsftpd [file=/etc/xinetd.d/vsftpd] [line=14]
Jul  6 15:58:42 ftp avc:  denied  { execute } for  pid=21671
exe=/usr/sbin/xinetd name=vsftpd dev=hda3 ino=438973
scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:sbin_t
tclass=file
Jul  6 15:58:42 ftp avc:  denied  { getattr } for  pid=21671
exe=/usr/sbin/xinetd path=/usr/sbin/vsftpd dev=hda3 ino=438973
scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:sbin_t
tclass=file
Jul  6 16:03:18 ftp xinetd[26388]: Reading included configuration file:
/etc/xinetd.d/vsftpd [file=/etc/xinetd.d/vsftpd] [line=14]
Jul  6 16:06:34 ftp avc:  denied  { execute } for  pid=5544
exe=/usr/sbin/vsftpd name=unix_chkpwd dev=hda3 ino=501941
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:chkpwd_exec_t tclass=file
Jul  6 16:06:34 ftp avc:  denied  { execute_no_trans } for  pid=5544
exe=/usr/sbin/vsftpd path=/sbin/unix_chkpwd dev=hda3 ino=501941
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:chkpwd_exec_t tclass=file
Jul  6 16:06:34 ftp avc:  denied  { read } for  pid=5544
exe=/usr/sbin/vsftpd path=/sbin/unix_chkpwd dev=hda3 ino=501941
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:chkpwd_exec_t tclass=file
Jul  6 16:06:34 ftp avc:  denied  { ioctl } for  pid=27592
exe=/usr/sbin/vsftpd path=socket:[70844] dev= ino=70844
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
tclass=tcp_socket
Jul  6 16:06:34 ftp vsftpd(pam_unix)[27592]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=172.16.1.117
Jul  7 15:00:14 ftp avc:  denied  { read } for  pid=27338 exe=/bin/ls
name=vsftpd dev=hda3 ino=485153 scontext=root:staff_r:staff_t
tcontext=root:object_r:var_log_t tclass=dir
Jul  7 15:00:27 ftp avc:  denied  { read } for  pid=1561
exe=/usr/bin/tail name=vsftpd.log dev=hda3 ino=485176
scontext=root:staff_r:staff_t tcontext=system_u:object_r:var_log_ksyms_t
tclass=file
Jul  8 06:07:01 ftp avc:  denied  { net_bind_service } for  pid=7965
exe=/usr/sbin/vsftpd capability=10 scontext=root:staff_r:staff_t
tcontext=root:staff_r:staff_t tclass=capability
Jul  8 06:30:19 ftp avc:  denied  { append } for  pid=1500
exe=/usr/sbin/vsftpd name=vsftpd.log dev=hda3 ino=485176
scontext=root:staff_r:staff_t tcontext=system_u:object_r:var_log_ksyms_t
tclass=file
Jul  8 06:30:19 ftp avc:  denied  { sys_chroot } for  pid=6664
exe=/usr/sbin/vsftpd capability=18 scontext=root:staff_r:staff_t
tcontext=root:staff_r:staff_t tclass=capability
Jul  8 06:30:19 ftp avc:  denied  { setuid } for  pid=6664
exe=/usr/sbin/vsftpd capability=7 scontext=root:staff_r:staff_t
tcontext=root:staff_r:staff_t tclass=capability
Jul  8 06:30:19 ftp avc:  denied  { lock } for  pid=6664
exe=/usr/sbin/vsftpd path=/var/log/vsftpd/vsftpd.log dev=hda3 ino=485176
scontext=root:staff_r:staff_t tcontext=system_u:object_r:var_log_ksyms_t
tclass=file

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au] 
Sent: Monday, July 12, 2004 11:42 PM
To: James R. Marcus
Cc: selinux@tycho.nsa.gov
Subject: Re: vsftpd with SELinux

On Tue, 13 Jul 2004 11:49, "James R. Marcus" <jmarcus@mvalent.net>
wrote:
> I just emerged vsftpd on my new Hardened Gentoo system running the
> SELinux kernel.  I think I have configured it correctly but keep
running
> into this issue:

What AVC messages do you get in the kernel message log?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: vsftpd with SELinux

[Russell Coker]

On Tue, 13 Jul 2004 14:24, "James R. Marcus" <jmarcus@mvalent.net> wrote:
> Jul  6 15:58:42 ftp avc:  denied  { getattr } for  pid=21671
> exe=/usr/sbin/xinetd path=/usr/sbin/vsftpd dev=hda3 ino=438973
> scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:sbin_t
> tclass=file

It seems that /usr/sbin/vsftpd is mis-labelled on your system, it should have 
context system_u:object_r:ftpd_exec_t not system_u:object_r:sbin_t.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: vsftpd with SELinux

[Joshua Brindle]

Russell Coker wrote:
> On Tue, 13 Jul 2004 14:24, "James R. Marcus" <jmarcus@mvalent.net> wrote:
> 
>>Jul  6 15:58:42 ftp avc:  denied  { getattr } for  pid=21671
>>exe=/usr/sbin/xinetd path=/usr/sbin/vsftpd dev=hda3 ino=438973
>>scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:sbin_t
>>tclass=file
> 
> 
> It seems that /usr/sbin/vsftpd is mis-labelled on your system, it should have 
> context system_u:object_r:ftpd_exec_t not system_u:object_r:sbin_t.
> 

emerge selinux-ftpd
make -C /etc/security/selinux/src/policy/ reload
rlpkg vsftpd
/etc/init.d/vsftpd restart

and you should be all set


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.