allowing in.tftpd to read/write files?
Chuck Anderson
cra at WPI.EDU
Fri Oct 19 20:58:57 UTC 2007
On Fri, Oct 19, 2007 at 02:59:58PM -0400, Daniel J Walsh wrote:
> Is this common? I would think this is dangerous and insecure, but with
> SELinux you could make it a little more secure.
Well, I suppose it is somewhat less common than reading, but there are
many embedded-type devices that can only get/put files via TFTP.
> tftp can only read public_content policy
Strange that I had to add policy to allow it to read. Here is the
sequence of events:
1. When I installed this server and set up TFTP, I changed
/etc/xinetd.d/tftp to use the /var/tftp directory instead of
/tftpboot:
# default: off
# description: The tftp server serves files using the trivial file
transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware
printers, \
# and to start the installation process for some operating
systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /var/tftp
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
2. All files in /var/tftp had the default labeling (This is Fedora
Core 6 BTW). According to older audit logs, this was:
user_u:object_r:var_t:s0
3. Reading worked fine with var_t files!?!
4. I tried to upload a file via TFTP, and it failed.
5. I saw the audit messages and tried relabelling everything as
public_content:
chcon system_u:object_r:tftpdir_t /var/tftp
chcon -R system_u:object_r:public_content_t /var/tftp/*
chcon system_u:object_r:public_content_rw_t /var/tftp/select-files-to-be-writeable
6. I noticed that reading failed. So var_t files could be read, but
public_content_t files could not. Strange.
7. I created local policy to allow tftp to read public_content_t and
read/write public_content_rw_t.
> 1 Use audit2allow to generate policy to allow tftp to write to the
> files/directory you want.
Done. See my other message.
> 2. convince me or upstream that tftp should be able to write to
> public_content_rw_t.
I think this would be a good idea. Perhaps at the same time we should
make sure /var/tftp is in file_contexts, and make sure
public_content_t works for reading as well (perhaps this was already
fixed in Fedora 7 or newer policy).
> BTW, I was at WPI this past Tuesday at the Robot Symposium. It was
> quite good.
Darn. I would have been nice to meet you in person. Glad you liked
it.
More information about the fedora-selinux-list
mailing list