#acl PaulHowarth:read,write,admin,revert,delete All:read === Tuesday 26th June 2007 === ==== Local Packages ==== I noticed a comment by FedoraProject:MatthiasSaou in his changelog for `proftpd`: {{{ * Fri Jun 15 2007 Matthias Saou 1.3.0a-4 - Fix PAM entry for F7+ (#244168). Still doesn't work with selinux, though. }}} Given that I use both `proftpd` and SELinux without problems, I wondered what this was about. Anyway, I tried doing a non-anonymous login (something I don't normally do as I use `sftp` for that sort of thing), and I saw these SELinux denials in the audit log: {{{ type=AVC msg=audit(1182852462.003:103279): avc: denied { write } for pid=23852 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=key type=AVC msg=audit(1182852462.003:103279): avc: denied { link } for pid=23852 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key type=AVC msg=audit(1182852462.003:103280): avc: denied { audit_control } for pid=23852 comm="proftpd" capability=30 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability }}} I [[http://www.redhat.com/archives/fedora-selinux-list/2007-June/msg00133.html|raised this]] on [[http://www.redhat.com/mailman/listinfo/fedora-selinux-list|fedora-selinux-list]] and the requisite policy changes were made in CVS. For the time being, I added the following in a local policy module: {{{ # Allow ftpd to set the login uid and create a session keyring logging_set_loginuid(ftpd_t) logging_send_audit_msg(ftpd_t) allow ftpd_t self:key { write search link }; }}} I was then left with some remaining annoyances in `/var/log/secure`, such as: {{{ Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. }}} To prevent these errors, `proftpd` needs to retain the `CAP_AUDIT_WRITE` capability when changing UID. It already has the facility to set capabilities (in `mod_cap`, enabled by default), but `CAP_AUDIT_WRITE` is not one of the capabilities handled by the module. I made a patch to support this and incorporated it into my local `proftpd` package (1.3.0a-5.2.CF). The result was the following messages for a session in `/var/log/secure`: {{{ Jun 26 14:33:44 goalkeeper proftpd: pam_unix(proftpd:session): session opened for user paul by (uid=0) Jun 26 14:33:44 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - USER paul: Login successful. Jun 26 14:33:48 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 14:33:48 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. }}} Annoying error messages gone :-) I passed the patch on to Matthias to see what he thinks; if all seems well, I'll forward it upstream too. ----