Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1362716
Description of problem: I'm seeing AVC denials when trying to ftp as an IPA user with vsftpd setup. ---- time->Tue Aug 2 18:52:25 2016 type=PATH msg=audit(1470181945.535:129): item=0 name="/var/lib/sss/pipes/private/pam" objtype=UNKNOWN type=CWD msg=audit(1470181945.535:129): cwd="/" type=SYSCALL msg=audit(1470181945.535:129): arch=c000003e syscall=4 success=no exit=-13 a0=7f3511c17ee0 a1=7ffd35aabb30 a2=7ffd35aabb30 a3=7f3511e192c0 items=1 ppid=1716 pid=2109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1470181945.535:129): avc: denied { dac_read_search } for pid=2109 comm="vsftpd" capability=2 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1470181945.535:129): avc: denied { dac_override } for pid=2109 comm="vsftpd" capability=1 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability ---- time->Tue Aug 2 18:52:25 2016 type=PATH msg=audit(1470181945.535:130): item=0 name="/var/lib/sss/pipes/private/pam" objtype=UNKNOWN type=CWD msg=audit(1470181945.535:130): cwd="/" type=SYSCALL msg=audit(1470181945.535:130): arch=c000003e syscall=4 success=no exit=-13 a0=7f3511c17ee0 a1=7ffd35aabb30 a2=7ffd35aabb30 a3=7f3511e192c0 items=1 ppid=1716 pid=2109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1470181945.535:130): avc: denied { dac_read_search } for pid=2109 comm="vsftpd" capability=2 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1470181945.535:130): avc: denied { dac_override } for pid=2109 comm="vsftpd" capability=1 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Version-Release number of selected component (if applicable): ipa-server-4.4.0-4.el7.x86_64 sssd-1.14.0-10.el7.x86_64 selinux-policy-3.13.1-91.el7.noarch How reproducible: Steps to Reproduce: 1. ipa-server-install 2. ipa user-add ipauser 3. kinit ipauser # to set password 4. yum -y install ftp vsftpd; systemctl start vsftpd 5. ftp -inv $(hostname) > user ipauser <ipauser password> Actual results: AVC shown above Expected results: I wouldn't expect to see an AVC. Additional info: I'm not sure if this is an selinux-policy bug or something changed within SSSD. So, I'm starting with SSSD. If I add an actual local user, ftp works. Permissions on the file in question: [root@rhel7-1 ~]# ls -lZ /var/lib/sss/pipes/private/pam srw-------. root root system_u:object_r:sssd_var_lib_t:s0 /var/lib/sss/pipes/private/pam
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => lslebodn patch: 0 => 1 review: True => 0 selected: => status: new => assigned testsupdated: => 0
milestone: NEEDS_TRIAGE => SSSD 1.14.2 resolution: => fixed status: assigned => closed
Metadata Update from @lslebodn: - Issue assigned to lslebodn - Issue set to the milestone: SSSD 1.14.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4176
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.