[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Allowing vsftpd access for user's home directory



On Thu, 2006-05-11 at 10:57 +0200, Thomas Bleher wrote:
> * Thomas Bleher <bleher informatik uni-muenchen de> [2006-05-11 09:16]:
> > * Ketut Mahaindra <kmahaindra axalto com> [2006-05-11 07:19]:
> > > - I have the following AVC error messages:
> > >   avc:  denied  { dac_override } for  pid=9099 comm="vsftpd" capability=1
> > > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > > tclass=capability
> > >   avc:  denied  { dac_read_search } for  pid=9099 comm="vsftpd" capability=2
> > > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > > tclass=capability  
> > 
> > This means that vsftpd can't access some files or directories because it
> > does not have DAC rights on it. Probably some home directory is mode
> > 0700. Either you change the rights on the directory or you allow the
> > capabilities as discussed in this thread.
> 
> BTW: Is there some way to get more information out of the kernel about
> which file is being accessed? This would be really helpful in debugging
> why an application needs dac_override.

If you have syscall auditing enabled, then a syscall audit record should
be emitted at syscall exit that includes the path data whenever an AVC
audit record was generated during the syscall processing.  

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]