Allowing vsftpd access for user's home directory
Stephen Smalley
sds at tycho.nsa.gov
Thu May 11 11:50:01 UTC 2006
On Thu, 2006-05-11 at 10:57 +0200, Thomas Bleher wrote:
> * Thomas Bleher <bleher at informatik.uni-muenchen.de> [2006-05-11 09:16]:
> > * Ketut Mahaindra <kmahaindra at axalto.com> [2006-05-11 07:19]:
> > > - I have the following AVC error messages:
> > > avc: denied { dac_override } for pid=9099 comm="vsftpd" capability=1
> > > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > > tclass=capability
> > > avc: denied { dac_read_search } for pid=9099 comm="vsftpd" capability=2
> > > scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0
> > > tclass=capability
> >
> > This means that vsftpd can't access some files or directories because it
> > does not have DAC rights on it. Probably some home directory is mode
> > 0700. Either you change the rights on the directory or you allow the
> > capabilities as discussed in this thread.
>
> BTW: Is there some way to get more information out of the kernel about
> which file is being accessed? This would be really helpful in debugging
> why an application needs dac_override.
If you have syscall auditing enabled, then a syscall audit record should
be emitted at syscall exit that includes the path data whenever an AVC
audit record was generated during the syscall processing.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list