Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 816691 - SELinux is preventing /usr/sbin/proftpd from 'getattr' accesses on the файл /etc/my.cnf.
Summary: SELinux is preventing /usr/sbin/proftpd from 'getattr' accesses on the файл /...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:8eebc938d6a6f5e011ee6eb6b07...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-26 17:28 UTC by Goga
Modified: 2012-05-04 18:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-02 10:10:14 UTC


Attachments (Terms of Use)

Description Goga 2012-04-26 17:28:36 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.2-6.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/proftpd from 'getattr' accesses on the файл /etc/my.cnf.
time:           Чт. 26 апр. 2012 21:24:49

description:
:SELinux is preventing /usr/sbin/proftpd from 'getattr' accesses on the файл /etc/my.cnf.
:
:*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************
:
:If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
:Then you must tell SELinux about this by enabling the 'allow_ftpd_full_access'boolean.
:Do
:setsebool -P allow_ftpd_full_access 1
:
:*****  Plugin catchall (11.6 confidence) suggests  ***************************
:
:If you believe that proftpd should be allowed getattr access on the my.cnf file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep proftpd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:ftpd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:mysqld_etc_t:s0
:Target Objects                /etc/my.cnf [ file ]
:Source                        proftpd
:Source Path                   /usr/sbin/proftpd
:Port                          <Неизвестно>
:Host                          (removed)
:Source RPM Packages           proftpd-1.3.4a-7.fc16.x86_64
:Target RPM Packages           mysql-libs-5.5.22-1.fc16.x86_64
:Policy RPM                    selinux-policy-3.10.0-84.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux Domo.loc 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr
:                              21 12:43:20 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Чт. 26 апр. 2012 21:08:21
:Last Seen                     Чт. 26 апр. 2012 21:08:21
:Local ID                      4ed53d2a-55e1-4cab-98d0-25417d123931
:
:Raw Audit Messages
:type=AVC msg=audit(1335460101.26:94): avc:  denied  { getattr } for  pid=2589 comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=141808 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1335460101.26:94): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff47765b40 a1=7fff47762aa0 a2=7fff47762aa0 a3=7fff477627a0 items=0 ppid=2585 pid=2589 auid=4294967295 uid=0 gid=50 euid=14 suid=0 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=4294967295 comm=proftpd exe=/usr/sbin/proftpd subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: proftpd,ftpd_t,mysqld_etc_t,file,getattr
:
:audit2allow
:
:#============= ftpd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
:
:allow ftpd_t mysqld_etc_t:file getattr;
:
:audit2allow -R
:
:#============= ftpd_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
:
:allow ftpd_t mysqld_etc_t:file getattr;
:

Comment 1 Miroslav Grepl 2012-04-27 11:36:26 UTC
Are you getting this file using ftpd? If yes, you need to execute what sealert suggests.

Comment 2 Goga 2012-04-27 18:32:13 UTC
And what does it offer?
I'm not good at this and just learning.

PS: I apologize for my English. I write through google translate.

Comment 3 Miroslav Grepl 2012-05-02 10:10:14 UTC
It suggests to turn on the allow_ftpd_full_access boolean which will allow you this operation.

Were you trying to download /etc/my.cnf configuration file using ftp?

Comment 4 Goga 2012-05-04 18:55:15 UTC
The problem was solved using the permission policies.

setseboot allow_ftpd_anon_write 1
setseboot allow_ftpd_full_access 1
setseboot allow_ftpd_use_cifs 1
setseboot allow_ftpd_use_nfs 1
setseboot ftp_home_dir 1
setseboot ftpd_connect_all_unreserved 1
setseboot ftpd_connect_db 1

Thank you for your help.


Note You need to log in before you can comment on or make changes to this bug.