Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 498375

Summary: Selinux prevents access to /var/run/proftpd.score
Product: [Fedora] Fedora EPEL Reporter: Christian Nolte <ch.nolte>
Component: proftpdAssignee: Paul Howarth <paul>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: mastahnke, matthias, paul
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: ActualBug
Fixed In Version: 1.3.2a-5.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-22 22:25:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Nolte 2009-04-30 07:44:30 UTC
This is much rather a selinux problem, but I don't know how the policy for EPEL is to report these problems (should these be reported to RHEL5-selinux?), so I am reporting this here:

The default selinux context for proftd.score is:

system_u:object_r:var_run_t

It must be:

system_u:object_r:ftpd_var_run_t

# rpm -q selinux-policy
selinux-policy-2.4.6-203.el5

Comment 1 Paul Howarth 2009-05-12 06:44:51 UTC
Try changing ScoreboardFile in your proftpd.conf to
/var/run/proftpd/proftpd.score

Comment 2 Christian Nolte 2009-05-12 09:15:23 UTC
Yes this works, but a default installation of proftpd does use /var/proftpd/proftpd.scoreboard

If we want to get this to work out-of-the-box (TM) we should either

 - add "ScoreboardFile /var/run/proftpd/proftpd.score" to the default proftpd.conf

or

 - change the selinux context for the default proftpd.conf

Comment 3 Paul Howarth 2009-05-12 09:58:34 UTC
Fixing the ScoreboardFile config item is the easiest fix since that's something that's already in the config file (pointing to /var/run/proftpd.score).

Fixing the SELinux context would also require a type transition rule adding to policy to ensure that if a new scoreboard file got created, it would have the correct context type.

Comment 4 Paul Howarth 2009-06-26 14:29:20 UTC
Easiest fix is actually just to remove the ScoreboardFile config item from proftpd.conf altogether; the default value of /var/run/proftpd/proftpd.scoreboard is fine as far as SELinux is concerned.

I'll do this in the next release, which I'm working on now.

Comment 5 Fedora Update System 2009-08-03 15:44:55 UTC
proftpd-1.3.2a-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-2.el5

Comment 6 Fedora Update System 2009-08-04 02:27:16 UTC
proftpd-1.3.2a-2.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0175

Comment 7 Fedora Update System 2009-08-19 22:51:52 UTC
proftpd-1.3.2a-3.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-3.el5

Comment 8 Fedora Update System 2009-08-20 15:00:23 UTC
proftpd-1.3.2a-3.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0320

Comment 9 Fedora Update System 2009-09-02 11:05:41 UTC
proftpd-1.3.2a-4.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-4.el5

Comment 10 Fedora Update System 2009-09-02 20:54:16 UTC
proftpd-1.3.2a-4.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0382

Comment 11 Fedora Update System 2009-09-07 15:12:57 UTC
proftpd-1.3.2a-5.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-5.el5

Comment 12 Fedora Update System 2009-09-08 22:58:46 UTC
proftpd-1.3.2a-5.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0397

Comment 13 Fedora Update System 2009-09-22 22:25:17 UTC
proftpd-1.3.2a-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.