proftpd 尝试打开本地 udp 套接字,但被 SELinux 阻止

tag-icon tag-icon proftpd
proftpd 尝试打开本地 udp 套接字,但被 SELinux 阻止

为什么 proftpd 尝试打开大量随机 udp 套接字?这是正常行为吗?审计日志中充斥着这些消息。

启用这些:setsebool -P ftpd_connect_all_unreserved 1 setsebool -P ftpd_use_passive_mode=1 setsebool -P ftpd_full_access=1

除此之外,一切似乎都运行正常。没有配置错误等。


SELinux is preventing /usr/sbin/proftpd from name_bind access on the udp_socket port 27938.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that proftpd should be allowed name_bind access on the port 27938 udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'proftpd' --raw | audit2allow -M my-proftpd
# semodule -X 300 -i my-proftpd.pp


Additional Information:
Source Context                system_u:system_r:ftpd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 27938 [ udp_socket ]
Source                        proftpd
Source Path                   /usr/sbin/proftpd
Port                          27938
Host                          <Unknown>
Source RPM Packages           proftpd-1.3.6e-4.el8.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ftphostname
Platform                      Linux ftphostname 4.18.0-305.19.1.el8_4.x86_64
                              #1 SMP Wed Sep 15 11:28:53 EDT 2021 x86_64 x86_64
Alert Count                   14
First Seen                    2021-10-01 14:44:19 CEST
Last Seen                     2021-10-01 14:44:19 CEST
Local ID                      d1a84414-7ba1-4756-a6b7-c1c399deacf1

Raw Audit Messages
type=AVC msg=audit(1633092259.49:1972228): avc:  denied  { name_bind } for  pid=49365 comm="proftpd" src=27938 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0


type=SYSCALL msg=audit(1633092259.49:1972228): arch=x86_64 syscall=bind success=no exit=EACCES a0=11 a1=7f9b666cbcd0 a2=10 a3=fffffffffffffaf4 items=0 ppid=48153 pid=49365 auid=4294967295 uid=0 gid=65534 euid=65534 suid=0 fsuid=65534 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm=proftpd exe=/usr/sbin/proftpd subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=bind AUID=unset UID=root GID=nobody EUID=nobody SUID=root FSUID=nobody EGID=nobody SGID=nobody FSGID=nobody

Hash: proftpd,ftpd_t,unreserved_port_t,udp_socket,name_bind

答案1

setsebool -P nis_enabled 1

问题已经消失

相关内容