proftpd is accessing my.cnf

GioMac asked:

I use proftpd for virtual FTP hosting with MySQL.

I’ve started writing fine-grained SELinux policies and found that it’s trying to access my.cnf files.

Question is what for and why?

type=AVC msg=audit(1378191337.059:153431): avc:  denied  { getattr } for  pid= comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { read } for  pid=50590 comm="proftpd" name="my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { open } for  pid=50590 comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file

Output of ps auxwf|grep 50590 is empty now – process doesn’t exist anymore. Looks like it’s trying to do that on every login attempt.

Update:
Filed bug/feature request, patch submitted by developer:
http://bugs.proftpd.org/show_bug.cgi?id=3971

My answer:


MySQL clients which link against libmysqlclient read global options from the [client] section of /etc/my.cnf. This is a typical behavior for such clients, and ProFTPD is such a client when you use its MySQL module.

The SELinux boolean ftpd_full_access will allow this access, but it also effectively disables SELinux for the entire FTP daemon’s operations, so it should not be used without extreme caution.

If it were me, I would file a feature request against selinux-policy requesting that a boolean to allow this access be added, or perhaps to add it to the ftpd_connect_db boolean.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.