allowing in.tftpd to read/write files?

Per Sjoholm Per.t.Sjoholm at flysta.net
Fri Oct 19 21:27:28 UTC 2007 

tftp is used both for booting network devices like switches, routers, 
ADSL modem  etc....
And also to let them save a configuration file  or a log file.
Often there are no alternatives for these devices.


Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck Anderson wrote:
>   
>> How do I allow tftpd to write files?  I changed the context to 
>> "system_u:object_r:public_content_rw_t:s0" but that doesn't work.  
>> Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem 
>> to be any file_contexts set up for /var/tftp.  I manually set the 
>> context to match that of /tftpboot:
>>
>> drwxr-xr-x  root root system_u:object_r:tftpdir_t      /tftpboot//
>> drwxrwsr-x  tftp tftp system_u:object_r:tftpdir_t      /var/tftp/
>>
>> -rw-rw-rw-  cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile
>>
>> type=AVC msg=audit(1192818715.964:10131): avc:  denied  { write } for  
>> pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 
>> ino=84549655 scontext=user_u:system_r:tftpd_t:s0 
>> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
>> type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 
>> success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 
>> ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 
>> egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" 
>> exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null)
>>
>> Thanks.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>     
> I did not even know you could updload with tftp.
>
> Is this common?  I would think this is dangerous and insecure, but with
> SELinux you could make it a little more secure.
>
> tftp can only read public_content policy
>
> So we have three options.
>
> 1 Use audit2allow to generate policy to allow tftp to write to the
> files/directory you want.
>
> 2. convince me or upstream that tftp should be able to write to
> public_content_rw_t.
>
> BTW, I was at WPI this past Tuesday at the Robot Symposium.  It was
> quite good.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHGP6urlYvE4MpobMRAgHjAKDb45z3W1JULWg/8VmkXr2BReRWAwCg126n
> 4NPy8tcl5A5ztiCOJIKAP5E=
> =8i2h
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list