allowing tftpd to make pxe functional
Daniel J Walsh
dwalsh at redhat.com
Mon May 14 20:15:21 UTC 2007
Stephen Smalley wrote:
> On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote:
>
>> I'm currently testing the latest rawhide build (F7), and I need help in
>> allowing tftpd traffic (for PXE functionality).
>> My previous work around solution was:
>> setsebool -P tftpd_disable_trans=1
>> But this is no longer allow under rawhide (F7). I tried running
>> system-config-selinux to search for any entry on tftp or tftpd, but
>> found none. Any other suggestion/workaround without disabling selinux?
>>
>
> You can use audit2allow to create a policy module to allow the access
> and add it, e.g.
> audit2allow -a -M local
> semodule -i local.pp
>
>
We should always advise something like
audit2allow -a -M mytftp
semodule -i mytftp.pp
Since if you do this twice your first change will be removed.
>> Here is the output from Selinux troubleshooter:
>>
>> Summary
>> SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to /
>> (rsync_data_t).
>>
>> Detailed Description
>> SELinux denied access requested by /usr/sbin/in.tftpd. It is not
>> expected
>> that this access is required by /usr/sbin/in.tftpd and this access may
>> signal an intrusion attempt. It is also possible that the specific
>> version
>> or configuration of the application is causing it to require additional
>> access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try to
>> restore the default system file context for /, restorecon -v / If
>> this does
>> not work, there is currently no automatic way to allow this access.
>> Instead,
>> you can generate a local policy module to allow this access - see
>> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
>> disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended. Please file a
>> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>> against this package.
>>
>> Additional Information
>>
>> Source Context user_u:system_r:tftpd_t
>> Target Context system_u:object_r:rsync_data_t
>> Target Objects / [ dir ]
>> Affected RPM Packages tftp-server-0.42-4
>> [application]filesystem-2.4.6-1.fc7 [target]
>> Policy RPM selinux-policy-2.6.1-1.fc7
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name plugins.catchall_file
>> Host Name fiji3
>> Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu
>> Apr 26
>> 10:17:55 EDT 2007 x86_64 x86_64
>> Alert Count 20
>> First Seen Wed 09 May 2007 02:18:14 PM EDT
>> Last Seen Wed 09 May 2007 02:42:14 PM EDT
>> Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0
>> exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
>> pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0
>> subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir
>> tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
More information about the fedora-selinux-list
mailing list