selinux avc: denied issue
I just setup a web hosting server with selinux in permissive mode, meaning it's unsecured but writing issues to the message log file. Once I have fixed all the avc: denied errors, I will put the server in 'enforce' mode. But here's the question. In /var/log/messages, I have the following error:
Apr 3 14:32:30 narf kernel: type=1400 audit(1365013105.731:3): avc: denied { search } for pid=1319 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:ftpd_t:s0- s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Now, how do I logically approach this, does anybody have any tips of the trade?
Solution 1:
It looks as though you want FTP to be able to be used for normal users (who have content in /home).
There exists a boolean to resolve this problem. You can work this out doing the following..
cat your_avc_txt.txt | audit2why
Which produces:
Apr 3 14:32:30 narf kernel: type=1400 audit(1365013105.731:3): avc: denied { search } for pid=1319 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow ftp to read and write files in the user home directories
Allow access by executing:
# setsebool -P ftp_home_dir 1
Description:
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Allow access by executing:
# setsebool -P ftpd_full_access 1
This tells you which booleans control this behaviour and what they do, you should enable the boolean which is the most restrictive of the two. So in your case ftp_home_dir
.
Solution 2:
This command below was the most user friendly. I just audit2why the whole audit.log.
/usr/bin/audit2why < /var/log/audit/audit.log