[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Allowing vsftpd access for user's home directory
- From: Stephen Smalley <sds tycho nsa gov>
- To: Thomas Bleher <bleher informatik uni-muenchen de>
- Cc: fedora-selinux-list redhat com
- Subject: Re: Allowing vsftpd access for user's home directory
- Date: Thu, 11 May 2006 07:50:01 -0400
On Thu, 2006-05-11 at 10:57 +0200, Thomas Bleher wrote:
> * Thomas Bleher <bleher informatik uni-muenchen de> [2006-05-11 09:16]:
> > * Ketut Mahaindra <kmahaindra axalto com> [2006-05-11 07:19]:
> > > - I have the following AVC error messages:
> > > avc: denied { dac_override } for pid=9099 comm="vsftpd" capability=1
> > > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > > tclass=capability
> > > avc: denied { dac_read_search } for pid=9099 comm="vsftpd" capability=2
> > > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > > tclass=capability
> >
> > This means that vsftpd can't access some files or directories because it
> > does not have DAC rights on it. Probably some home directory is mode
> > 0700. Either you change the rights on the directory or you allow the
> > capabilities as discussed in this thread.
>
> BTW: Is there some way to get more information out of the kernel about
> which file is being accessed? This would be really helpful in debugging
> why an application needs dac_override.
If you have syscall auditing enabled, then a syscall audit record should
be emitted at syscall exit that includes the path data whenever an AVC
audit record was generated during the syscall processing.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]