You are not allowed to perform this action.

Clear message

    PaulHowarth/Blog/2007-06-26

Tuesday 26th June 2007

Local Packages

I noticed a comment by MatthiasSaou in his changelog for proftpd: 

* Fri Jun 15 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-4
- Fix PAM entry for F7+ (#244168). Still doesn't work with selinux, though.

Given that I use both proftpd and SELinux without problems, I wondered what this was about. Anyway, I tried doing a non-anonymous login (something I don't normally do as I use sftp for that sort of thing), and I saw these SELinux denials in the audit log: 

type=AVC msg=audit(1182852462.003:103279): avc:  denied  { write } for pid=23852 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=key
type=AVC msg=audit(1182852462.003:103279): avc:  denied  { link } for pid=23852 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key
type=AVC msg=audit(1182852462.003:103280): avc:  denied  { audit_control } for  pid=23852 comm="proftpd" capability=30 scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:ftpd_t:s0 tclass=capability

I raised this on fedora-selinux-list and the requisite policy changes were made in CVS. For the time being, I added the following in a local policy module: 

# Allow ftpd to set the login uid and create a session keyring
logging_set_loginuid(ftpd_t)
logging_send_audit_msg(ftpd_t)
allow ftpd_t self:key { write search link };

I was then left with some remaining annoyances in /var/log/secure, such as: 

Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error
Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.

To prevent these errors, proftpd needs to retain the CAP_AUDIT_WRITE capability when changing UID. It already has the facility to set capabilities (in mod_cap, enabled by default), but CAP_AUDIT_WRITE is not one of the capabilities handled by the module. I made a patch to support this and incorporated it into my local proftpd package (1.3.0a-5.2.CF). The result was the following messages for a session in /var/log/secure: 

Jun 26 14:33:44 goalkeeper proftpd: pam_unix(proftpd:session): session opened for user paul by (uid=0)
Jun 26 14:33:44 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - USER paul: Login successful.
Jun 26 14:33:48 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul
Jun 26 14:33:48 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.

Annoying error messages gone :-)

I passed the patch on to Matthias to see what he thinks; if all seems well, I'll forward it upstream too.

Recent