Allowing vsftpd access for user's home directory
Ketut Mahaindra
kmahaindra at axalto.com
Thu May 11 09:34:30 UTC 2006
On the following problem:
# semodule -i local.pp
libsemanage.semanage_commit_sandbox: Could not remove previous backup
/etc/selinux/targeted/modules/previous.
semodule: Failed!
-----
I found the following on this list April thread to temporarily fix the
issue:
Stephen Smalley wrote:
> Looks like the type isn't getting preserved
> on /etc/selinux/$SELINUXTYPE/modules/{active,previous} upon updates -
> they are reverting from semanage_store_t to selinux_config_t (the type
> on their parent directory. We either need to put semanage_store_t
> on /etc/selinux/$SELINUXTYPE/modules as well or we need to make
> libsemanage preserve the types.
>
Aurelien Bompard wrote:
> OK, so it's something to fix at the main policy level, right (I can't do
> anything about it) ?
Stephen Smalley wrote:
> Correct. You can restorecon -R /etc/selinux/targeted to temporarily
> fix it, but it will keep reverting on each transaction. chcon -t
> semanage_store_t /etc/selinux/targeted/modules may solve the problem
> with keeping the type on the active and previous subdirectories, but
> ultimately needs to be applied in the policy.
-----
So, I did:
# restorecon -R /etc/selinux/targeted
# semodule -i local.pp
And I no longer have the failed message above.
This helps me to solve to make local policy module for ftpd access over
resources with type httpd_sys_content_t
( enabling ftp access over user web resources )
:)
--
Best regards,
Ketut Mahaindra (Ito)
"The race for perfection has no finish line"
-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Ketut Mahaindra
Sent: Thursday, May 11, 2006 4:47 PM
To: fedora-selinux-list at redhat.com
Subject: RE: Allowing vsftpd access for user's home directory
Hello,
Tried that as well, I am using ~/selinux/local
After the change by chcon
# ls -Z ~/selinux
drwxr-xr-x root root user_u:object_r:usr_t local
# ls -Z ~/selinux/local
-rw-r--r-- root root user_u:object_r:usr_t local.mod
-rw-r--r-- root root user_u:object_r:usr_t local.pp
-rw-r--r-- root root user_u:object_r:usr_t local.te
# semodule -i local.pp
libsemanage.semanage_commit_sandbox: Could not remove previous backup
/etc/selinux/targeted/modules/previous.
In fact I have now solved the issue.
It involves enabling the boolean as you suggested before :
# setsebool -P ftp_home_dir 1
# setsebool -P ftpd_is_daemon 1
Plus, changing the corresponding user home directory ACL to be less
restrictive than 0700 -> 0755
( thanks to Thomas Bleher for the hint )
--
Best regards,
Ketut Mahaindra (Ito)
"The race for perfection has no finish line"
-----Original Message-----
From: Paul Howarth
Sent: Thursday, May 11, 2006 2:53 PM
To: Ketut Mahaindra
Cc: fedora-selinux-list at redhat.com
Subject: RE: Allowing vsftpd access for user's home directory
On Thu, 2006-05-11 at 14:32 +0800, Ketut Mahaindra wrote:
> Hello,
>
> I tried your suggestion in conjunction with the FC5 SELinux FAQ:
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2958106
>
> So, I did the following
> # audit2allow -m local -l -i /var/log/audit/audit.log
>
> Which give me something like:
>
> module local 1.0;
> require {
> class capability { dac_override dac_read_search };
>
> type ftpd_t;
> };
> allow ftpd_t self:capability { dac_override dac_read_search };
>
> So, naturally I want it to be inside a file for compilation.
> Then I did:
>
> # audit2allow -m local -l -i /var/log/audit/audit.log > local.te
> # checkmodule -M -m -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> But, on that last step I get an error message "semodule: Could not read
> file 'local.pp':"
> It's strange, because the file local.pp is created normally by the
> semodule_package command.
>
> Did I miss anything?
Try this:
Move the files you've used for this process (the .te/.pp files etc.) to
a new, empty directory (I used /root/selinux.local) and change to that
directory. Then do:
# chcon -Rh -t usr_t .
Then try the semanage command again.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list