Hi all,
In current selinux-policy we have two booleans related to ftp
active/passive mode communication. Both of these booleans are turned off
by default.
ftpd_use_passive_mode (off , off)
ftpd_connect_all_unreserved (off , off)
In this situation, ftp daemon cannot start without changing one of this
booleans.
I suggest enabling "ftpd_connect_all_unreserved" boolean by default.
Your ideas?
Thank you for discussion.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
On 3/10/2016 8:04 AM, Lukas Vrabec wrote:
> Hi all,
>
> In current selinux-policy we have two booleans related to ftp
> active/passive mode communication. Both of these booleans are turned off
> by default.
> ftpd_use_passive_mode (off , off)
> ftpd_connect_all_unreserved (off , off)
>
> In this situation, ftp daemon cannot start without changing one of this
> booleans.
>
> I suggest enabling "ftpd_connect_all_unreserved" boolean by default.
>
> Your ideas?
>
>
> Thank you for discussion.
It sounds like there may be some port labeling problems. The passive
mode Boolean allows TCP binding on all unreserved ports and the
connect_all allows TCP connecting to all unreserved ports. (unreserved
ports means 1024-65535 that are not otherwise labeled)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote:
> On 3/10/2016 8:04 AM, Lukas Vrabec wrote:
>> Hi all,
>>
>> In current selinux-policy we have two booleans related to ftp
>> active/passive mode communication. Both of these booleans are
>> turned off by default. ftpd_use_passive_mode (off ,
>> off) ftpd_connect_all_unreserved (off , off)
>>
>> In this situation, ftp daemon cannot start without changing one
>> of this booleans.
>>
>> I suggest enabling "ftpd_connect_all_unreserved" boolean by
>> default.
>>
>> Your ideas?
>>
>>
>> Thank you for discussion.
>
> It sounds like there may be some port labeling problems. The
> passive mode Boolean allows TCP binding on all unreserved ports and
> the connect_all allows TCP connecting to all unreserved ports.
> (unreserved ports means 1024-65535 that are not otherwise labeled)
>
Might be related to fedoras' ephemeral_port_t?
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW4X+KAAoJECV0jlU3+UdpGvkMAICRq2Eplf/NLkd/BL/DdyNQ
Ll7UHdacQhEHJVeT2xmCIgZ1zXJO1yeRKW6kwpiREF/Wdw41tb7rhnNZWWaw69rI
jGz64dX+eoeNAmGWJHLFnOU9+l2B8mt+Qz//qASTxeRoTwGBFeLJwtuq8CJBTVX/
CjTNqPAXq9Z0+5rMrkpgoW1hXHjhVziY2D0zrG1s9hA/eYDfIrmCX7F/bO7U53fv
vW7/CV8wSlQX6HVJmF7Q1XiqT3fPCdnhIUnskcJaHGgBLu6c78h1sUUUcOb3qMMO
uK/SQFcBbIkO0e9PCbKzMc7xhpWbyvvmougbGQvrAvjPYwE/zE8IOkYTHt7oTcoq
K3EfkhuRcVU2c8sf2rvIVZ/aRgRy9s4igmM9jQIChhNzYL0v9Z1F/GzFfCu4esQS
kUqoChoQfhvRkcH7sMfiQ5Deu9Gj3SYr8EJD80uNlJ2/psSiplWbZmSt+Cb245L8
jbqvEkcTrysi+jv8LvMGERbFBiMDJiingS1wQWn9wg==
=DCWQ
-----END PGP SIGNATURE-----
On 3/10/2016 9:07 AM, Dominick Grift wrote:
> On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote:
>> On 3/10/2016 8:04 AM, Lukas Vrabec wrote:
>>> Hi all,
>>>
>>> In current selinux-policy we have two booleans related to ftp
>>> active/passive mode communication. Both of these booleans are
>>> turned off by default. ftpd_use_passive_mode (off ,
>>> off) ftpd_connect_all_unreserved (off , off)
>>>
>>> In this situation, ftp daemon cannot start without changing one
>>> of this booleans.
>>>
>>> I suggest enabling "ftpd_connect_all_unreserved" boolean by
>>> default.
>>>
>>> Your ideas?
>>>
>>>
>>> Thank you for discussion.
>
>> It sounds like there may be some port labeling problems. The
>> passive mode Boolean allows TCP binding on all unreserved ports and
>> the connect_all allows TCP connecting to all unreserved ports.
>> (unreserved ports means 1024-65535 that are not otherwise labeled)
>
>
> Might be related to fedoras' ephemeral_port_t?
That's a good point. I'm looking at refpolicy.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/10/2016 03:08 PM, Christopher J. PeBenito wrote:
> On 3/10/2016 9:07 AM, Dominick Grift wrote:
>> On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote:
>>> On 3/10/2016 8:04 AM, Lukas Vrabec wrote:
>>>> Hi all,
>>>>
>>>> In current selinux-policy we have two booleans related to ftp
>>>> active/passive mode communication. Both of these booleans
>>>> are turned off by default. ftpd_use_passive_mode
>>>> (off , off) ftpd_connect_all_unreserved (off , off)
>>>>
>>>> In this situation, ftp daemon cannot start without changing
>>>> one of this booleans.
>>>>
>>>> I suggest enabling "ftpd_connect_all_unreserved" boolean by
>>>> default.
>>>>
>>>> Your ideas?
>>>>
>>>>
>>>> Thank you for discussion.
>>
>>> It sounds like there may be some port labeling problems. The
>>> passive mode Boolean allows TCP binding on all unreserved ports
>>> and the connect_all allows TCP connecting to all unreserved
>>> ports. (unreserved ports means 1024-65535 that are not
>>> otherwise labeled)
>>
>>
>> Might be related to fedoras' ephemeral_port_t?
>
> That's a good point. I'm looking at refpolicy.
>
I think, but i am not sure that at anything one of the two booleans
must be set. passive mode requires binding , active mode requires
connecting. The problem is that it could be either any time. So i
think it would be reasonable to leave both off just to make no
assumptions.
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW4ZARAAoJECV0jlU3+Udp5U4L/R/LUK3YcL3IVX8mAwUrtPyx
UFWYI5+/hLUzgYEMbiyobps/n63mgQCBArPDQsCdr6iqBwSKzFVIZm8pfzkUayRP
bPf+MJVmeSHQp/pMim3WxUy8em7TsS8Y4SbtD3Sq3pTST7KeCjtN7+kcLcrZJAVz
rm5DIlamB9wu/J1wDDg+8NWyjLC8mYaWAtPvC/SyjI2aCHIHjt5oFo256v8s7w8h
9oVh/hLsDFtmneWeTL0yXQqLlGwrtq6iEwxJeL8WGAsn652C/7soOgZVQC8rIiW1
LZleSJ1ZAThACJD6vF5A9F19WVSLLOfyuwa+3mbsGIxtU61jDgNTZHkqIipaMgg8
0OJbe2lbZOc3hO23BY+u+E5g0xjgQZGf6p7r7LsuXWUpYGLhNlBkjC8U4dnZa5IJ
vnFLMdq8ulxlVAZoUT6x0FQGNm/0ZQ/YPrCiaExBFG68aG+TYbkzDh8Mp6QrDs73
6C6BNdSWDQAVArTTR+Z7yIR2CqIDlc4aAETp6kF53A==
=sW2f
-----END PGP SIGNATURE-----