allowing in.tftpd to read/write files?

Daniel J Walsh dwalsh at redhat.com
Fri Oct 19 18:59:58 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck Anderson wrote:
> How do I allow tftpd to write files?  I changed the context to 
> "system_u:object_r:public_content_rw_t:s0" but that doesn't work.  
> Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem 
> to be any file_contexts set up for /var/tftp.  I manually set the 
> context to match that of /tftpboot:
> 
> drwxr-xr-x  root root system_u:object_r:tftpdir_t      /tftpboot//
> drwxrwsr-x  tftp tftp system_u:object_r:tftpdir_t      /var/tftp/
> 
> -rw-rw-rw-  cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile
> 
> type=AVC msg=audit(1192818715.964:10131): avc:  denied  { write } for  
> pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 
> ino=84549655 scontext=user_u:system_r:tftpd_t:s0 
> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
> type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 
> success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 
> ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 
> egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" 
> exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null)
> 
> Thanks.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I did not even know you could updload with tftp.

Is this common?  I would think this is dangerous and insecure, but with
SELinux you could make it a little more secure.

tftp can only read public_content policy

So we have three options.

1 Use audit2allow to generate policy to allow tftp to write to the
files/directory you want.

2. convince me or upstream that tftp should be able to write to
public_content_rw_t.

BTW, I was at WPI this past Tuesday at the Robot Symposium.  It was
quite good.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHGP6urlYvE4MpobMRAgHjAKDb45z3W1JULWg/8VmkXr2BReRWAwCg126n
4NPy8tcl5A5ztiCOJIKAP5E=
=8i2h
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list