pure-ftpd auth blocked by SELinux

Tom van der Woerdt asked:

First, my setup. I’m using CentOS 6.4 and I installed pure-ftpd (plus the SELinux module) from the EPEL repositories :

> rpm -q pure-ftpd pure-ftpd-selinux

After struggling with getting this to work with SELinux properly, I tried setsebool‘ing a few things :

allow_ftpd_full_access --> on
ftp_home_dir --> on
ftpd_use_passive_mode --> on

The context in which pure-ftpd is running (as root.root) :

system_u:system_r:ftpd_t:s0-s0:c0.c1023 25196 ? Ss    0:00 pure-ftpd (SERVER)

Now, the problem. For some unknown reason, SELinux denies login attempts without logging at all to /var/log/audit/audit.log. pure-ftpd logs this (in -d -d mode) :

Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [INFO] New connection from <my_ip>
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 220-You are user number 1 of 50 allowed.
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 220-Local time is now 17:53. Server port: 21.
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 220-This is a private system - No anonymous login
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 220-IPv6 connections are also welcome on this server.
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 220 You will be disconnected after 15 minutes of inactivity.
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] Command [auth] [TLS]
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 234 AUTH TLS OK.
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] Command [user] [admin]
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 331 User admin OK. Password required
Jul 10 17:53:39 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] Command [pass] [<*>]
Jul 10 17:53:42 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 530 Login authentication failed
Jul 10 17:53:42 <hostname> pure-ftpd: (?@<my_ip>) [WARNING] Authentication failed for user [admin]
Jul 10 17:53:42 <hostname> pure-ftpd: (?@<my_ip>) [INFO] Logout.
Jul 10 17:53:42 <hostname> pure-ftpd: (?@<my_ip>) [DEBUG] 530 Logout.

When I setenforce 0, the login suddenly works perfectly fine. When I then setenforce 1 again and reconnect, it won’t let me login.

Again: auditd doesn’t log anything and the pure-ftpd logs are useless. /var/log/secure also stays empty and tail -f /var/log/* only shows the syslog messages I pasted above.

For completeness, he’s my pure-ftpd.conf:

# Core
Daemonize                   yes
#PassivePortRange           35000 35999
ProhibitDotFilesWrite       no
ProhibitDotFilesRead        no

# Security
#ChrootEveryone             yes
NoAnonymous                 yes
UnixAuthentication          yes
MinUID                      499
UseFtpUsers                 no
#TLS                        2
VerboseLog                  yes
VerboseLog                  yes

# Logging
SyslogFacility              local5
AltLog                      clf:/var/log/pureftpd.log

# Performance
DontResolve                 yes
MaxIdleTime                 15
LimitRecursion              10000 8
MaxLoad                     4
MaxDiskUsage                99

# Customer happy
CustomerProof               yes
NoTruncate                  yes
#AllowUserFXP               yes

Your help would be very much appreciated.

My answer:

A number of SELinux policies are flagged dontaudit so that they do not leave messages in the audit log. This is usually because they are policies that would just spam the log with useless entries, but sometimes developers dontaudit a denial rather than fixing the underlying problem. The policy you’re hitting is almost certainly among these, since you aren’t seeing any messages being logged in audit.log.

You can temporarily disable dontaudit by running:

semodule -DB

After you’ve discovered the cause of the problem, re-enable dontaudit with:

semodule -B

To build your policy once you’ve generated it, run:

make -f /usr/share/selinux/devel/Makefile

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.