Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163479 - Anonymous write acces failing
Summary: Anonymous write acces failing
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-18 04:32 UTC by Gabriel Schulhof
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-18 14:17:00 UTC


Attachments (Terms of Use)

Description Gabriel Schulhof 2005-07-18 04:32:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
# ls -lZd /var/ftp /var/ftp/*
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/FC3-PPC
drwxrwxrwt  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/incoming
drwxr-xr-x  root     root     system_u:object_r:ftpd_anon_t    /var/ftp/RH8.0

# cat /etc/vsftpd/vsftpd.conf | grep -v '#'
anonymous_enable=YES
local_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=go-nix.ca FTP:

pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

When I try uploading a file anonymously into /incoming, it fails. /var/log/audit.log says:
type=AVC msg=audit(1121660610.998:11719667): avc:  denied  { write } for  pid=8749 comm="vsftpd" name="incoming" dev=hda1 ino=2256658 scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir
type=SYSCALL msg=audit(1121660610.998:11719667): arch=40000003 syscall=5 success=no exit=-13 a0=89bcf98 a1=84c1 a2=1b6 a3=84c1 items=1 pid=8749 auid=4294967295 uid=14 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1121660610.998:11719667):  cwd="/incoming"
type=PATH msg=audit(1121660610.998:11719667): item=0 name="xorg.log" flags=310  inode=2256658 dev=03:01 mode=041777 ouid=0 ogid=0 rdev=00:00

Strangely, after using audit2allow to establish the following rule
allow ftpd_t ftpd_anon_t:dir write;
and adding it to /etc/selinux/targeted/src/policy/domains/misc/local.te
I ran make install from /etc/selinux/targeted/src/policy, and afterwards I still got the same error in audit.log.

No, xorg.log is not already present in /var/ftp/incoming :o)

So, how am I supposed to get anonymous uploading to work ?

Version-Release number of selected component (if applicable):
vsftpd-2.0.3-1

How reproducible:
Always

Steps to Reproduce:
1. Reproduce the above setup
2. Attempt to anonymously upload a file
  

Actual Results:  Failed to upload the file.

Expected Results:  The file should have been successfully uploaded.

Additional info:

Comment 1 Radek Vokal 2005-07-18 09:20:09 UTC
True, but audit2allow should resolve your issue. This works for me

# cat /etc/selinux/targeted/src/policy/domains/misc/local.te
allow ftpd_t ftpd_anon_t:dir write;
allow ftpd_t ftpd_anon_t:dir add_name;
allow ftpd_t ftpd_anon_t:file create;
.. and `make load` in /etc/selinux/targeted/src/ 

Anyway, those rules should be added to targeted policy. Reassigning .. 

Comment 2 Daniel Walsh 2005-07-18 14:17:00 UTC
The proper way to do this is to change the file context of the directory

chcon -t ftpd_anon_rw_t incoming

man ftpd_selinux
...
      If you want to setup a directory where you can upload files to you must
       label  the  files  and directories ftpd_anon_rw_t.  So if you created a
       special directory /var/ftp/incoming, you
              would need to label the directory with the chcon tool.

       chcon -t ftpd_anon_rw_t /var/ftp/incoming




Note You need to log in before you can comment on or make changes to this bug.