allowing tftpd to make pxe functional

Daniel J Walsh dwalsh at redhat.com
Mon May 14 20:15:21 UTC 2007 

Stephen Smalley wrote:
> On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote:
>   
>> I'm currently testing the latest rawhide build (F7), and I need help in 
>> allowing tftpd traffic (for PXE functionality).
>> My previous work around solution was:
>>     setsebool -P tftpd_disable_trans=1
>> But this is no longer allow under rawhide (F7). I tried running 
>> system-config-selinux to search for any entry on tftp or tftpd, but  
>> found none. Any other suggestion/workaround without disabling selinux?
>>     
>
> You can use audit2allow to create a policy module to allow the access
> and add it, e.g.
> 	audit2allow -a -M local
> 	semodule -i local.pp
>
>   
We should always advise something like

audit2allow -a -M mytftp
semodule -i mytftp.pp

Since if you do this twice your first change will be removed.

>> Here is the output from Selinux troubleshooter:
>>
>> Summary
>>     SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to /
>>     (rsync_data_t).
>>
>> Detailed Description
>>     SELinux denied access requested by /usr/sbin/in.tftpd. It is not 
>> expected
>>     that this access is required by /usr/sbin/in.tftpd and this access may
>>     signal an intrusion attempt. It is also possible that the specific 
>> version
>>     or configuration of the application is causing it to require additional
>>     access.
>>
>> Allowing Access
>>     Sometimes labeling problems can cause SELinux denials.  You could try to
>>     restore the default system file context for /, restorecon -v / If 
>> this does
>>     not work, there is currently no automatic way to allow this access. 
>> Instead,
>>     you can generate a local policy module to allow this access - see
>>     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can 
>> disable
>>     SELinux protection altogether. Disabling SELinux protection is not
>>     recommended. Please file a 
>> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>>     against this package.
>>
>> Additional Information        
>>
>> Source Context                user_u:system_r:tftpd_t
>> Target Context                system_u:object_r:rsync_data_t
>> Target Objects                / [ dir ]
>> Affected RPM Packages         tftp-server-0.42-4
>>                               [application]filesystem-2.4.6-1.fc7 [target]
>> Policy RPM                    selinux-policy-2.6.1-1.fc7
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   plugins.catchall_file
>> Host Name                     fiji3
>> Platform                      Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu 
>> Apr 26
>>                               10:17:55 EDT 2007 x86_64 x86_64
>> Alert Count                   20
>> First Seen                    Wed 09 May 2007 02:18:14 PM EDT
>> Last Seen                     Wed 09 May 2007 02:42:14 PM EDT
>> Local ID                      736e2428-de9a-469b-8b77-92bce3a8eacd
>> Line Numbers                  
>>
>> Raw Audit Messages            
>>
>> avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0
>> exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
>> pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0
>> subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir
>> tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>

More information about the fedora-selinux-list mailing list