selinux avc: denied issue

I just setup a web hosting server with selinux in permissive mode, meaning it's unsecured but writing issues to the message log file. Once I have fixed all the avc: denied errors, I will put the server in 'enforce' mode. But here's the question. In /var/log/messages, I have the following error:

Apr  3 14:32:30 narf kernel: type=1400 audit(1365013105.731:3): avc:  denied  { search }      for  pid=1319 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:ftpd_t:s0-   s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

Now, how do I logically approach this, does anybody have any tips of the trade?


Solution 1:

It looks as though you want FTP to be able to be used for normal users (who have content in /home).

There exists a boolean to resolve this problem. You can work this out doing the following..

cat your_avc_txt.txt | audit2why

Which produces:

Apr  3 14:32:30 narf kernel: type=1400 audit(1365013105.731:3): avc:  denied  { search } for  pid=1319 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow ftp to read and write files in the user home directories

Allow access by executing:
# setsebool -P ftp_home_dir 1
Description:
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.

Allow access by executing:
# setsebool -P ftpd_full_access 1

This tells you which booleans control this behaviour and what they do, you should enable the boolean which is the most restrictive of the two. So in your case ftp_home_dir.

Solution 2:

This command below was the most user friendly. I just audit2why the whole audit.log.

/usr/bin/audit2why < /var/log/audit/audit.log