I just setup a web hosting server with selinux in permissive mode, meaning it's unsecured but writing issues to the message log file. Once I have fixed all the avc: denied errors, I will put the server in 'enforce' mode. But here's the question. In /var/log/messages, I have the following error:
Apr 3 14:32:30 narf kernel: type=1400 audit(1365013105.731:3): avc: denied { search } for pid=1319 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:ftpd_t:s0- s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Now, how do I logically approach this, does anybody have any tips of the trade?
Best Answer
It looks as though you want FTP to be able to be used for normal users (who have content in /home).
There exists a boolean to resolve this problem. You can work this out doing the following..
cat your_avc_txt.txt | audit2why
Which produces:
This tells you which booleans control this behaviour and what they do, you should enable the boolean which is the most restrictive of the two. So in your case
ftp_home_dir
.