Linux – selinux avc: denied issue

linuxSecurityselinux

I just setup a web hosting server with selinux in permissive mode, meaning it's unsecured but writing issues to the message log file. Once I have fixed all the avc: denied errors, I will put the server in 'enforce' mode. But here's the question. In /var/log/messages, I have the following error:

Apr  3 14:32:30 narf kernel: type=1400 audit(1365013105.731:3): avc:  denied  { search }      for  pid=1319 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:ftpd_t:s0-   s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

Now, how do I logically approach this, does anybody have any tips of the trade?

Best Answer

It looks as though you want FTP to be able to be used for normal users (who have content in /home).

There exists a boolean to resolve this problem. You can work this out doing the following..

cat your_avc_txt.txt | audit2why

Which produces:

Apr  3 14:32:30 narf kernel: type=1400 audit(1365013105.731:3): avc:  denied  { search } for  pid=1319 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow ftp to read and write files in the user home directories

Allow access by executing:
# setsebool -P ftp_home_dir 1
Description:
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.

Allow access by executing:
# setsebool -P ftpd_full_access 1

This tells you which booleans control this behaviour and what they do, you should enable the boolean which is the most restrictive of the two. So in your case ftp_home_dir.

Related Topic