#3143 selinux avc denial for vsftp login as ipa user
Closed: Fixed None Opened 3 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1362716

Description of problem:

I'm seeing AVC denials when trying to ftp as an IPA user with vsftpd setup.


----
time->Tue Aug  2 18:52:25 2016
type=PATH msg=audit(1470181945.535:129): item=0
name="/var/lib/sss/pipes/private/pam" objtype=UNKNOWN
type=CWD msg=audit(1470181945.535:129):  cwd="/"
type=SYSCALL msg=audit(1470181945.535:129): arch=c000003e syscall=4 success=no
exit=-13 a0=7f3511c17ee0 a1=7ffd35aabb30 a2=7ffd35aabb30 a3=7f3511e192c0
items=1 ppid=1716 pid=2109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vsftpd"
exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1470181945.535:129): avc:  denied  { dac_read_search } for
pid=2109 comm="vsftpd" capability=2
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1470181945.535:129): avc:  denied  { dac_override } for
pid=2109 comm="vsftpd" capability=1
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
----
time->Tue Aug  2 18:52:25 2016
type=PATH msg=audit(1470181945.535:130): item=0
name="/var/lib/sss/pipes/private/pam" objtype=UNKNOWN
type=CWD msg=audit(1470181945.535:130):  cwd="/"
type=SYSCALL msg=audit(1470181945.535:130): arch=c000003e syscall=4 success=no
exit=-13 a0=7f3511c17ee0 a1=7ffd35aabb30 a2=7ffd35aabb30 a3=7f3511e192c0
items=1 ppid=1716 pid=2109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vsftpd"
exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1470181945.535:130): avc:  denied  { dac_read_search } for
pid=2109 comm="vsftpd" capability=2
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1470181945.535:130): avc:  denied  { dac_override } for
pid=2109 comm="vsftpd" capability=1
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64
sssd-1.14.0-10.el7.x86_64
selinux-policy-3.13.1-91.el7.noarch


How reproducible:


Steps to Reproduce:
1.  ipa-server-install
2.  ipa user-add ipauser
3.  kinit ipauser # to set password
4.  yum -y install ftp vsftpd; systemctl start vsftpd
5.  ftp -inv $(hostname)
> user ipauser <ipauser password>


Actual results:

AVC shown above

Expected results:

I wouldn't expect to see an AVC.

Additional info:

I'm not sure if this is an selinux-policy bug or something changed within SSSD.
So, I'm starting with SSSD.

If I add an actual local user, ftp works.

Permissions on the file in question:

[root@rhel7-1 ~]# ls -lZ /var/lib/sss/pipes/private/pam
srw-------. root root system_u:object_r:sssd_var_lib_t:s0
/var/lib/sss/pipes/private/pam

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => lslebodn
patch: 0 => 1
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

milestone: NEEDS_TRIAGE => SSSD 1.14.2
resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.14.2

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4176

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata