Stephen Smalley wrote:
On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote:
I'm currently testing the latest rawhide build (F7), and I need help in allowing tftpd traffic (for PXE functionality). My previous work around solution was: setsebool -P tftpd_disable_trans=1 But this is no longer allow under rawhide (F7). I tried running system-config-selinux to search for any entry on tftp or tftpd, but found none. Any other suggestion/workaround without disabling selinux?
You can use audit2allow to create a policy module to allow the access and add it, e.g. audit2allow -a -M local semodule -i local.pp
We should always advise something like
audit2allow -a -M mytftp semodule -i mytftp.pp
Since if you do this twice your first change will be removed.
Here is the output from Selinux troubleshooter:
Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t).
Detailed Description SELinux denied access requested by /usr/sbin/in.tftpd. It is not expected that this access is required by /usr/sbin/in.tftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ] Affected RPM Packages tftp-server-0.42-4 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.1-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name fiji3 Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu Apr 26 10:17:55 EDT 2007 x86_64 x86_64 Alert Count 20 First Seen Wed 09 May 2007 02:18:14 PM EDT Last Seen Wed 09 May 2007 02:42:14 PM EDT Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd Line Numbers
Raw Audit Messages
avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list