Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SeLinux preventing /usr/sbin/proftpd access to /etc/selinux/targeted/logins #1658

Open
Mordecaine opened this issue Apr 21, 2023 · 2 comments
Open

SeLinux preventing /usr/sbin/proftpd access to /etc/selinux/targeted/logins #1658

Mordecaine opened this issue Apr 21, 2023 · 2 comments

Comments

@Mordecaine
Copy link

Mordecaine commented Apr 21, 2023
edited

What I Did

I installed proftpd from epel on a RedHat 8.7 system.
I tried a Login and got a login denied.

I checked the logs:

Apr 18 15:24:05 server-app05 setroubleshoot[2609252]: SELinux is preventing /usr/sbin/proftpd from search access on the directory /etc/selinux/targeted/logins. For complete SELinux messages run: sealert -l 09baf57a-81e2-49cb-adb2-600eb78bbdb1
Apr 18 15:24:05 server-app05 setroubleshoot[2609252]: SELinux is preventing /usr/sbin/proftpd from search access on the directory /etc/selinux/targeted/logins.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that proftpd should be allowed search access on the logins directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'proftpd' --raw | audit2allow -M my-proftpd#012# semodule -X 300 -i my-proftpd.pp#012
Apr 18 15:24:06 server-app05 proftpd[2609235]: session[2609235] 172.16.2.5 (10.254.0.163[10.254.0.163]): mod_sftp_pam/0.3: PAM authentication error (7) for user 'mynamehere': Authentication failure
Apr 18 15:24:06 server-app05 proftpd[2609235]: session[2609235] 172.16.2.5 (10.254.0.163[10.254.0.163]): SSH2 session closed.
Apr 18 15:24:07 server-app05 setroubleshoot[2609252]: SELinux is preventing /usr/sbin/proftpd from read access on the file /etc/selinux/targeted/contexts/default_contexts. For complete SELinux messages run: sealert -l 1fed035e-a0b6-4ed0-bd5e-79f279d36a59
Apr 18 15:24:07 server-app05 setroubleshoot[2609252]: SELinux is preventing /usr/sbin/proftpd from read access on the file /etc/selinux/targeted/contexts/default_contexts.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that proftpd should be allowed read access on the default_contexts file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'proftpd' --raw | audit2allow -M my-proftpd#012# semodule -X 300 -i my-proftpd.pp#012
Apr 18 15:24:07 server-app05 setroubleshoot[2609252]: SELinux is preventing /usr/sbin/proftpd from read access on the file /etc/selinux/targeted/contexts/failsafe_context. For complete SELinux messages run: sealert -l 1fed035e-a0b6-4ed0-bd5e-79f279d36a59
Apr 18 15:24:07 server-app05 setroubleshoot[2609252]: SELinux is preventing /usr/sbin/proftpd from read access on the file /etc/selinux/targeted/contexts/failsafe_context.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that proftpd should be allowed read access on the failsafe_context file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'proftpd' --raw | audit2allow -M my-proftpd#012# semodule -X 300 -i my-proftpd.pp#012

What I Expected/Wanted

I want to login to the server

ProFTPD Version and Configuration

ProFTPD Version 1.3.6e

One special thing:
The server is joined with sssd to a windows domain controller and the user (which I use to log in) is not local, it is a domain user.

I installed proftpd from epel

dnf install proftpd

After that, I enabled sftp:

sed -ir 's/\#[[:space:]]*LoadModule mod_sftp_pam.c/LoadModule mod_sftp_pam.c/g' /etc/proftpd/modules.conf
sed -ir 's/\#[[:space:]]*LoadModule mod_sftp.c/LoadModule mod_sftp.c/g' /etc/proftpd/modules.conf

I converted the ssh key to the PEM format:

cp ssh_host_rsa_key /etc/proftpd/
cd /etc/proftpd/
chmod 600 ssh_host_rsa_key
ssh-keygen -p -f /etc/proftpd/ssh_host_rsa_key -m PEM

I create a sftp conf file:

ip=$(dig +short $(hostname --fqdn))
cat << EOL > /etc/proftpd/conf.d/sftp.conf
<VirtualHost $ip>
		# DefaultRoot ~ jailed-group
   <IfModule mod_sftp.c>
     SFTPEngine on
     SFTPLog /var/log/proftpd/sftp.log
     TransferLog /var/log/proftpd/xferlog
     Port 2222
     SFTPHostKey /etc/proftpd/ssh_host_rsa_key
     SFTPAuthorizedUserKeys file:~/.ssh/authorized_keys
     SFTPCompression delayed
     MaxLoginAttempts 6

    SFTPClientMatch WinSCP|ClientSftp sftpProtocolVersion 1-3
    SFTPOptions IgnoreSCPUploadPerms

    AllowOverwrite on

  </IfModule>
</VirtualHost>
EOL
@Mordecaine Mordecaine changed the title SeLinux preventing /usr/sbin/proftpd to SeLinux preventing /usr/sbin/proftpd access to /etc/selinux/targeted/logins Apr 21, 2023
@Castaglia
Copy link
Member

Since the ProFTPD project doesn't ship with any packages, or rules for SELinux, I'm assuming this issue is specific to some RPM. @pghmcfc would you happen to know more about this?

@pghmcfc
Copy link
Contributor

pghmcfc commented Apr 21, 2023

This is reminiscent of #659; I have never been able to get public key auth working with SELinux in enforcing mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Castaglia @pghmcfc @Mordecaine