allowing tftpd to make pxe functional

Stephen Smalley sds at tycho.nsa.gov
Wed May 9 20:13:04 UTC 2007 

On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote:
> I'm currently testing the latest rawhide build (F7), and I need help in 
> allowing tftpd traffic (for PXE functionality).
> My previous work around solution was:
>     setsebool -P tftpd_disable_trans=1
> But this is no longer allow under rawhide (F7). I tried running 
> system-config-selinux to search for any entry on tftp or tftpd, but  
> found none. Any other suggestion/workaround without disabling selinux?

You can use audit2allow to create a policy module to allow the access
and add it, e.g.
	audit2allow -a -M local
	semodule -i local.pp

> 
> Here is the output from Selinux troubleshooter:
> 
> Summary
>     SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to /
>     (rsync_data_t).
> 
> Detailed Description
>     SELinux denied access requested by /usr/sbin/in.tftpd. It is not 
> expected
>     that this access is required by /usr/sbin/in.tftpd and this access may
>     signal an intrusion attempt. It is also possible that the specific 
> version
>     or configuration of the application is causing it to require additional
>     access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could try to
>     restore the default system file context for /, restorecon -v / If 
> this does
>     not work, there is currently no automatic way to allow this access. 
> Instead,
>     you can generate a local policy module to allow this access - see
>     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can 
> disable
>     SELinux protection altogether. Disabling SELinux protection is not
>     recommended. Please file a 
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>     against this package.
> 
> Additional Information        
> 
> Source Context                user_u:system_r:tftpd_t
> Target Context                system_u:object_r:rsync_data_t
> Target Objects                / [ dir ]
> Affected RPM Packages         tftp-server-0.42-4
>                               [application]filesystem-2.4.6-1.fc7 [target]
> Policy RPM                    selinux-policy-2.6.1-1.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     fiji3
> Platform                      Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu 
> Apr 26
>                               10:17:55 EDT 2007 x86_64 x86_64
> Alert Count                   20
> First Seen                    Wed 09 May 2007 02:18:14 PM EDT
> Last Seen                     Wed 09 May 2007 02:42:14 PM EDT
> Local ID                      736e2428-de9a-469b-8b77-92bce3a8eacd
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0
> exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
> pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0
> subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list