allowing tftpd to make pxe functional
Stephen Smalley
sds at tycho.nsa.gov
Wed May 9 20:13:04 UTC 2007
On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote:
> I'm currently testing the latest rawhide build (F7), and I need help in
> allowing tftpd traffic (for PXE functionality).
> My previous work around solution was:
> setsebool -P tftpd_disable_trans=1
> But this is no longer allow under rawhide (F7). I tried running
> system-config-selinux to search for any entry on tftp or tftpd, but
> found none. Any other suggestion/workaround without disabling selinux?
You can use audit2allow to create a policy module to allow the access
and add it, e.g.
audit2allow -a -M local
semodule -i local.pp
>
> Here is the output from Selinux troubleshooter:
>
> Summary
> SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to /
> (rsync_data_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/in.tftpd. It is not
> expected
> that this access is required by /usr/sbin/in.tftpd and this access may
> signal an intrusion attempt. It is also possible that the specific
> version
> or configuration of the application is causing it to require additional
> access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for /, restorecon -v / If
> this does
> not work, there is currently no automatic way to allow this access.
> Instead,
> you can generate a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
>
> Source Context user_u:system_r:tftpd_t
> Target Context system_u:object_r:rsync_data_t
> Target Objects / [ dir ]
> Affected RPM Packages tftp-server-0.42-4
> [application]filesystem-2.4.6-1.fc7 [target]
> Policy RPM selinux-policy-2.6.1-1.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name fiji3
> Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu
> Apr 26
> 10:17:55 EDT 2007 x86_64 x86_64
> Alert Count 20
> First Seen Wed 09 May 2007 02:18:14 PM EDT
> Last Seen Wed 09 May 2007 02:42:14 PM EDT
> Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0
> exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
> pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0
> subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list