#3143 selinux avc denial for vsftp login as ipa user
Closed: Fixed None Opened 2 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1362716

Description of problem:

I'm seeing AVC denials when trying to ftp as an IPA user with vsftpd setup.


----
time->Tue Aug  2 18:52:25 2016
type=PATH msg=audit(1470181945.535:129): item=0
name="/var/lib/sss/pipes/private/pam" objtype=UNKNOWN
type=CWD msg=audit(1470181945.535:129):  cwd="/"
type=SYSCALL msg=audit(1470181945.535:129): arch=c000003e syscall=4 success=no
exit=-13 a0=7f3511c17ee0 a1=7ffd35aabb30 a2=7ffd35aabb30 a3=7f3511e192c0
items=1 ppid=1716 pid=2109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vsftpd"
exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1470181945.535:129): avc:  denied  { dac_read_search } for
pid=2109 comm="vsftpd" capability=2
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1470181945.535:129): avc:  denied  { dac_override } for
pid=2109 comm="vsftpd" capability=1
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
----
time->Tue Aug  2 18:52:25 2016
type=PATH msg=audit(1470181945.535:130): item=0
name="/var/lib/sss/pipes/private/pam" objtype=UNKNOWN
type=CWD msg=audit(1470181945.535:130):  cwd="/"
type=SYSCALL msg=audit(1470181945.535:130): arch=c000003e syscall=4 success=no
exit=-13 a0=7f3511c17ee0 a1=7ffd35aabb30 a2=7ffd35aabb30 a3=7f3511e192c0
items=1 ppid=1716 pid=2109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vsftpd"
exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1470181945.535:130): avc:  denied  { dac_read_search } for
pid=2109 comm="vsftpd" capability=2
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1470181945.535:130): avc:  denied  { dac_override } for
pid=2109 comm="vsftpd" capability=1
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64
sssd-1.14.0-10.el7.x86_64
selinux-policy-3.13.1-91.el7.noarch


How reproducible:


Steps to Reproduce:
1.  ipa-server-install
2.  ipa user-add ipauser
3.  kinit ipauser # to set password
4.  yum -y install ftp vsftpd; systemctl start vsftpd
5.  ftp -inv $(hostname)
> user ipauser <ipauser password>


Actual results:

AVC shown above

Expected results:

I wouldn't expect to see an AVC.

Additional info:

I'm not sure if this is an selinux-policy bug or something changed within SSSD.
So, I'm starting with SSSD.

If I add an actual local user, ftp works.

Permissions on the file in question:

[root@rhel7-1 ~]# ls -lZ /var/lib/sss/pipes/private/pam
srw-------. root root system_u:object_r:sssd_var_lib_t:s0
/var/lib/sss/pipes/private/pam

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => lslebodn
patch: 0 => 1
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

milestone: NEEDS_TRIAGE => SSSD 1.14.2
resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.14.2

2 years ago

Login to comment on this ticket.

Metadata