FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-11-2011, 12:55 PM
Paul Howarth
 
Default proftpd with systemd on F-15

I get various AVCs related to cgroup usage with systemd when logging in
to proftpd on F-15:

type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=file

type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2
success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr } for
pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5
success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7886): avc: denied { write } for
pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=dir

type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name } for
pid=12071 comm="proftpd" name="785"
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc: denied { create } for
pid=12071 comm="proftpd" name="785"
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83
success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7887): avc: denied { write } for
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=file

type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2
success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr } for
pid=12071 comm="proftpd"
path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup
ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5
success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr } for
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90
success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr } for
pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90
success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

/var/log/messages includes:

Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) -
FTP session opened.
Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) -
Preparing to chroot to directory '/nis-home/phowarth'
Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]:
pam_systemd(proftpd:session): Failed to lock runtime directory:
Permission denied
Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]:
pam_unix(proftpd:session): session closed for user phowarth
Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1
(10.9.2.1[10.9.2.1]) - FTP session closed.

audit2allow -R suggests:

fs_manage_cgroup_dirs(ftpd_t)
fs_manage_cgroup_files(ftpd_t)
init_read_state(ftpd_t)

proftpd does appear to work despite these messages, so I'm wondering if
it would be better to dontaudit these rather than allow them?

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-11-2011, 06:03 PM
Daniel J Walsh
 
Default proftpd with systemd on F-15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/11/2011 08:55 AM, Paul Howarth wrote:
> I get various AVCs related to cgroup usage with systemd when logging in
> to proftpd on F-15:
>
> type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for
> pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=file
>
> type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for
> pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2
> success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443
> pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr } for
> pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5
> success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0
> ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.143:7886): avc: denied { write } for
> pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
>
> type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name } for
> pid=12071 comm="proftpd" name="785"
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
> type=AVC msg=audit(1310388446.143:7886): avc: denied { create } for
> pid=12071 comm="proftpd" name="785"
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
> type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83
> success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0
> ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.143:7887): avc: denied { write } for
> pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=file
>
> type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for
> pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2
> success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443
> pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr } for
> pid=12071 comm="proftpd"
> path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup
> ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5
> success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0
> ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr } for
> pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90
> success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0
> ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr } for
> pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
> type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90
> success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0
> ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> /var/log/messages includes:
>
> Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) -
> FTP session opened.
> Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) -
> Preparing to chroot to directory '/nis-home/phowarth'
> Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]:
> pam_systemd(proftpd:session): Failed to lock runtime directory:
> Permission denied
> Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]:
> pam_unix(proftpd:session): session closed for user phowarth
> Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1
> (10.9.2.1[10.9.2.1]) - FTP session closed.
>
> audit2allow -R suggests:
>
> fs_manage_cgroup_dirs(ftpd_t)
> fs_manage_cgroup_files(ftpd_t)
> init_read_state(ftpd_t)
>
> proftpd does appear to work despite these messages, so I'm wondering if
> it would be better to dontaudit these rather than allow them?
>
> Paul.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


This looks like proftpd is setting up its own cgroup and SELinux is
preventing this. Please open a bugzilla and we can discuss it with the
proftpd guys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4bOvUACgkQrlYvE4MpobM8BgCgmg0GL+j7zy qLbkFf/idsWnPz
/5cAoJcqleNMIJo5H9tPrqAk8Fe4JLUi
=H/RJ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-11-2011, 08:41 PM
Paul Howarth
 
Default proftpd with systemd on F-15

On Mon, 11 Jul 2011 14:03:33 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/11/2011 08:55 AM, Paul Howarth wrote:
> > I get various AVCs related to cgroup usage with systemd when
> > logging in to proftpd on F-15:
> >
> > type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for
> > pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:init_t:s0 tclass=file
> >
> > type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for
> > pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:init_t:s0 tclass=file
> > type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e
> > syscall=2 success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9
> > items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd"
> > exe="/usr/sbin/proftpd"
> > subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> >
> > type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr }
> > for pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc
> > ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:init_t:s0 tclass=file
> > type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e
> > syscall=5 success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930
> > a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785
> > comm="proftpd" exe="/usr/sbin/proftpd"
> > subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> >
> > type=AVC msg=audit(1310388446.143:7886): avc: denied { write }
> > for pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
> >
> > type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name }
> > for pid=12071 comm="proftpd" name="785"
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
> > type=AVC msg=audit(1310388446.143:7886): avc: denied { create }
> > for pid=12071 comm="proftpd" name="785"
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e
> > syscall=83 success=yes exit=0 a0=2150370 a1=1ed a2=0
> > a3=776f68702f726573 items=0 ppid=11443 pid=12071 auid=1012 uid=0
> > gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> > ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> > subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> >
> > type=AVC msg=audit(1310388446.143:7887): avc: denied { write }
> > for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=file
> >
> > type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for
> > pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=file
> > type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e
> > syscall=2 success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9
> > items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd"
> > exe="/usr/sbin/proftpd"
> > subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> >
> > type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr }
> > for pid=12071 comm="proftpd"
> > path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup
> > ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=file
> > type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e
> > syscall=5 success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100
> > a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785
> > comm="proftpd" exe="/usr/sbin/proftpd"
> > subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> >
> > type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr }
> > for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=file
> > type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e
> > syscall=90 success=yes exit=0 a0=2150370 a1=1a4 a2=3f4
> > a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0
> > gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> > ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> > subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> >
> > type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr }
> > for pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428
> > scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:cgroup_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e
> > syscall=90 success=yes exit=0 a0=2150370 a1=1ed a2=3f4
> > a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0
> > gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> > ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> > subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
> >
> > /var/log/messages includes:
> >
> > Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1])
> > - FTP session opened.
> > Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1])
> > - Preparing to chroot to directory '/nis-home/phowarth'
> > Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]:
> > pam_systemd(proftpd:session): Failed to lock runtime directory:
> > Permission denied
> > Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]:
> > pam_unix(proftpd:session): session closed for user phowarth
> > Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]:
> > 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session closed.
> >
> > audit2allow -R suggests:
> >
> > fs_manage_cgroup_dirs(ftpd_t)
> > fs_manage_cgroup_files(ftpd_t)
> > init_read_state(ftpd_t)
> >
> > proftpd does appear to work despite these messages, so I'm
> > wondering if it would be better to dontaudit these rather than
> > allow them?
> >
> > Paul.
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> This looks like proftpd is setting up its own cgroup and SELinux is
> preventing this. Please open a bugzilla and we can discuss it with
> the proftpd guys.

OK (I am proftpd co-maintainer in Fedora by the way), will do, though I
can't see anything relating to cgroups in the code.

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org