I want to set up a user to be jailed to a specific home directory, but
SELinux seems to be the problem. If I turn it off, no problem. I ran
audit2allow and installed the module, now there are no AVC denials, but
proftpd still complains "directory /home/attvoicetone is not accessible"

Here is some more info ...

POLICY MODULE

module proftpd 1.0;

require {
type unconfined_t;
type var_run_t;
type home_root_t;
type var_t;
type user_home_dir_t;
type ftpd_t;
type user_home_t;
type xferlog_t;
class dir { write getattr read search };
class file { write read getattr append };
class key search;
}

#============= ftpd_t ==============
allow ftpd_t home_root_t:dir { getattr search };
allow ftpd_t unconfined_t:key search;
allow ftpd_t user_home_dir_t:dir read;
allow ftpd_t user_home_t:dir { read getattr search };
allow ftpd_t user_home_t:file { read getattr };
allow ftpd_t var_run_t:file write;
allow ftpd_t var_t:file append;
allow ftpd_t xferlog_t:dir write;


[root@voicetone2 selinux.local]# ls -dZ /home
drwxr-xr-x root root system_ubject_r:home_root_t /home
[root@voicetone2 selinux.local]# ls -Z /home
drwxrwxrwx attvoicetone attvoicetone user_ubject_r:user_home_dir_t
attvoicetone

client message:

ftp> user
(username) ftpuser
331 Anonymous login ok, send your complete email address as your
password
Password:
530-Unable to set anonymous privileges.
530 Login incorrect.
Login failed.


The entries in /var/log/messages are:

Oct 22 16:03:57 voicetone2 proftpd[11956]: voicetone2
(::ffff:172.19.5.211[::ffff:172.19.5.211]) - ftpuser: Directory
/home/attvoicetone/ is not accessible.

The proftpd.config file contents:

# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off

# Use this to excude users from the chroot
DefaultRoot ~ !adm

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# Default to show dot files in directory listings
ListOptions "-a"

# See Configuration.html for these (here are the default values)
#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20

# Set the user and group that the server normally runs at.
User nobody
Group nobody

# Disable sendfile by default since it breaks displaying the download
speeds in
# ftptop and ftpwho
UseSendfile no

# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score

# Normally, we want users to do a few things.

AllowOverwrite yes

AllowAll

SyslogLevel debug


# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
##TLSRenegotiate ctrl 3600 data 512000 required off
timeout 300
#TLSLog /var/log/proftpd/tls.log

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#
# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c
#


# A basic anonymous configuration, with an upload directory.


#INSERTED TO DEBUG ISSUE
Trace ALL:9
TraceLog /var/log/proftpd/trace.log

# SETUP FOR ftpuser

User ftpuser
Group ftp
# We want clients to be able to login with "anonymous" as well as
"ftp"
# UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 5

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot
#
# DenyAll
#


DefaultChdir /home/attvoicetone/



Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_dso.c
mod_readme.c
mod_auth_pam.c
mod_tls.c
mod_cap.c
mod_ctrls.c

Version Info:
- ProFTPD Version: 1.3.1 (stable)
- Scoreboard Version: 01040002
- Built: Sat Oct 6 21:20:37 CEST 2007
- Module: mod_core.c
- Module: mod_xfer.c
- Module: mod_auth_unix.c
- Module: mod_auth_file/0.8.3
- Module: mod_auth.c
- Module: mod_ls.c
- Module: mod_log.c
- Module: mod_site.c
- Module: mod_delay/0.6
- Module: mod_dso/0.4
- Module: mod_readme.c
- Module: mod_auth_pam/1.0.1
- Module: mod_tls/2.1.2
- Module: mod_cap/1.0
- Module: mod_ctrls/0.9.4

I am running CentOS release 5.2 (Final).

I have verified the user and group, I have validated the directory
exists and is currently set with 777 permissions.

Could someone please steer me in the right direction?

Thanks,
Rich


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.p...r_id=100&url=/
_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html