Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 163479

Summary: Anonymous write acces failing
Product: [Fedora] Fedora Reporter: Gabriel Schulhof <gabrielschulhof>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-18 14:17:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Gabriel Schulhof 2005-07-18 04:32:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
# ls -lZd /var/ftp /var/ftp/*
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/FC3-PPC
drwxrwxrwt  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/incoming
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/RH8.0

# cat /etc/vsftpd/vsftpd.conf | grep -v '#'
anonymous_enable=YES
local_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=go-nix.ca FTP:

pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

When I try uploading a file anonymously into /incoming, it fails. /var/log/audit.log says:
type=AVC msg=audit(1121660610.998:11719667): avc:  denied  { write } for  pid=8749 comm="vsftpd" name="incoming" dev=hda1 ino=2256658 scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir
type=SYSCALL msg=audit(1121660610.998:11719667): arch=40000003 syscall=5 success=no exit=-13 a0=89bcf98 a1=84c1 a2=1b6 a3=84c1 items=1 pid=8749 auid=4294967295 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1121660610.998:11719667):  cwd="/incoming"
type=PATH msg=audit(1121660610.998:11719667): item=0 name="xorg.log" flags=310  inode=2256658 dev=03:01 mode=041777 ouid=0 ogid=0 rdev=00:00

Strangely, after using audit2allow to establish the following rule
allow ftpd_t ftpd_anon_t:dir write;
and adding it to /etc/selinux/targeted/src/policy/domains/misc/local.te
I ran make install from /etc/selinux/targeted/src/policy, and afterwards I still got the same error in audit.log.

No, xorg.log is not already present in /var/ftp/incoming :o)

So, how am I supposed to get anonymous uploading to work ?

Version-Release number of selected component (if applicable):
vsftpd-2.0.3-1

How reproducible:
Always

Steps to Reproduce:
1. Reproduce the above setup
2. Attempt to anonymously upload a file
  

Actual Results:  Failed to upload the file.

Expected Results:  The file should have been successfully uploaded.

Additional info:

Comment 1 Radek Vokal 2005-07-18 09:20:09 UTC
True, but audit2allow should resolve your issue. This works for me

# cat /etc/selinux/targeted/src/policy/domains/misc/local.te
allow ftpd_t ftpd_anon_t:dir write;
allow ftpd_t ftpd_anon_t:dir add_name;
allow ftpd_t ftpd_anon_t:file create;
.. and `make load` in /etc/selinux/targeted/src/ 

Anyway, those rules should be added to targeted policy. Reassigning .. 

Comment 2 Daniel Walsh 2005-07-18 14:17:00 UTC
The proper way to do this is to change the file context of the directory

chcon -t ftpd_anon_rw_t incoming

man ftpd_selinux
...
      If you want to setup a directory where you can upload files to you must
       label  the  files  and directories ftpd_anon_rw_t.  So if you created a
       special directory /var/ftp/incoming, you
              would need to label the directory with the chcon tool.

       chcon -t ftpd_anon_rw_t /var/ftp/incoming