Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

    PaulHowarth/Blog/2007-06-26

Tuesday 26th June 2007

Local Packages

I noticed a comment by MatthiasSaou in his changelog for proftpd: 

* Fri Jun 15 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-4
- Fix PAM entry for F7+ (#244168). Still doesn't work with selinux, though.

Given that I use both proftpd and SELinux without problems, I wondered what this was about. Anyway, I tried doing a non-anonymous login (something I don't normally do as I use sftp for that sort of thing), and I saw these SELinux denials in the audit log: 

type=AVC msg=audit(1182852462.003:103279): avc:  denied  { write } for pid=23852 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=key
type=AVC msg=audit(1182852462.003:103279): avc:  denied  { link } for pid=23852 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
type=AVC msg=audit(1182852462.003:103280): avc:  denied  { audit_control } for  pid=23852 comm="proftpd" capability=30 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability

I raised this on fedora-selinux-list and the requisite policy changes were made in CVS. For the time being, I added the following in a local policy module: 

# Allow ftpd to set the login uid and create a session keyring
logging_set_loginuid(ftpd_t)
logging_send_audit_msg(ftpd_t)
allow ftpd_t self:key { write search link };

I was then left with some remaining annoyances in /var/log/secure, such as: 

Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.

To prevent these errors, proftpd needs to retain the CAP_AUDIT_WRITE capability when changing UID. It already has the facility to set capabilities (in mod_cap, enabled by default), but CAP_AUDIT_WRITE is not one of the capabilities handled by the module. I made a patch to support this and incorporated it into my local proftpd package (1.3.0a-5.2.CF). The result was the following messages for a session in /var/log/secure: 

Jun 26 14:33:44 goalkeeper proftpd: pam_unix(proftpd:session): session opened for user paul by (uid=0)
Jun 26 14:33:44 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - USER paul: Login successful.
Jun 26 14:33:48 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul
Jun 26 14:33:48 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.

Annoying error messages gone :-)

I passed the patch on to Matthias to see what he thinks; if all seems well, I'll forward it upstream too.

Recent