Took some already made profile and improoved upon it. It works with denying, but i still have not understood where was my error.
New profile looks like this, only difference is that this profile does not use abstractions/lxc/container-base but there is nothing there allowing writing to /tmp for example, or reading random files from /etc
Code:
# Last Modified: Wed Apr 26 00:39:00 2017
#include <tunables/global>
/usr/sbin/vsftpd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
capability audit_write,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
/dev/urandom r,
/etc/fstab r,
/etc/ftpusers r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mtab r,
/etc/shells r,
/etc/vsftpd.* r,
/etc/vsftpd/* r,
/home/*/ r,
/usr/sbin/vsftpd mrix,
/var/log/vsftpd.log w,
/var/log/xferlog w,
@{HOMEDIRS} r,
@{HOME}/** rwl,
}
Bookmarks