Symptoms
-
Unable to connect to FTP. The following error is displayed:
530 Login incorrect. Login failed. 421 Service not available, remote server has closed connection
-
SELinux is running in enforcing mode.
-
SELinux policy Plesk component is installed.
-
In
/var/log/messages
the following error can be seen:chroot to '/var/www/vhosts/example.com' failed for user 'user': Permission denied error: unable to set DefaultRoot directory FTP session closed.
-
In
/var/log/audit/audit.log
the following error can be seen:type=AVC msg=audit(1482428585.108:134): avc: denied { net_admin } for pid=2652 comm="in.proftpd" capability=12 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Cause
SELinux is preventing Proftpd from using the 'net_admin' capabilities.
Resolution
-
Install
setroubleshoot-server
package:# yum install setroubleshoot-server
-
Restart audit daemon.
# service auditd restart
-
Run the following command to find sealert UUID:
# cat /var/log/messages |grep "/usr/sbin/proftpd" | grep 'sealert'
ser129 setroubleshoot: SELinux is preventing /usr/sbin/proftpd from using the net_admin capability. For complete SELinux messages. run sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a -
Run the command found in previous step:
# sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a
Plugin catchall (100. confidence) suggests
You can generate a local policy module to allow this access.
To allow this access for now by executing:
ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
semodule -i my-inproftpd.pp -
Follow the instructions from previous step to solve the issue:
# ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
# semodule -i my-inproftpd.pp
Comments
0 comments
Please sign in to leave a comment.