I'm currently testing the latest rawhide build (F7), and I need help in allowing tftpd traffic (for PXE functionality). My previous work around solution was: setsebool -P tftpd_disable_trans=1 But this is no longer allow under rawhide (F7). I tried running system-config-selinux to search for any entry on tftp or tftpd, but found none. Any other suggestion/workaround without disabling selinux?
Here is the output from Selinux troubleshooter:
Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t).
Detailed Description SELinux denied access requested by /usr/sbin/in.tftpd. It is not expected that this access is required by /usr/sbin/in.tftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ] Affected RPM Packages tftp-server-0.42-4 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.1-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name fiji3 Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu Apr 26 10:17:55 EDT 2007 x86_64 x86_64 Alert Count 20 First Seen Wed 09 May 2007 02:18:14 PM EDT Last Seen Wed 09 May 2007 02:42:14 PM EDT Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd Line Numbers
Raw Audit Messages
avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote:
I'm currently testing the latest rawhide build (F7), and I need help in allowing tftpd traffic (for PXE functionality). My previous work around solution was: setsebool -P tftpd_disable_trans=1 But this is no longer allow under rawhide (F7). I tried running system-config-selinux to search for any entry on tftp or tftpd, but found none. Any other suggestion/workaround without disabling selinux?
You can use audit2allow to create a policy module to allow the access and add it, e.g. audit2allow -a -M local semodule -i local.pp
Here is the output from Selinux troubleshooter:
Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t).
Detailed Description SELinux denied access requested by /usr/sbin/in.tftpd. It is not expected that this access is required by /usr/sbin/in.tftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ] Affected RPM Packages tftp-server-0.42-4 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.1-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name fiji3 Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu Apr 26 10:17:55 EDT 2007 x86_64 x86_64 Alert Count 20 First Seen Wed 09 May 2007 02:18:14 PM EDT Last Seen Wed 09 May 2007 02:42:14 PM EDT Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd Line Numbers
Raw Audit Messages
avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Stephen Smalley wrote:
On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote:
I'm currently testing the latest rawhide build (F7), and I need help in allowing tftpd traffic (for PXE functionality). My previous work around solution was: setsebool -P tftpd_disable_trans=1 But this is no longer allow under rawhide (F7). I tried running system-config-selinux to search for any entry on tftp or tftpd, but found none. Any other suggestion/workaround without disabling selinux?
You can use audit2allow to create a policy module to allow the access and add it, e.g. audit2allow -a -M local semodule -i local.pp
We should always advise something like
audit2allow -a -M mytftp semodule -i mytftp.pp
Since if you do this twice your first change will be removed.
Here is the output from Selinux troubleshooter:
Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t).
Detailed Description SELinux denied access requested by /usr/sbin/in.tftpd. It is not expected that this access is required by /usr/sbin/in.tftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ] Affected RPM Packages tftp-server-0.42-4 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.1-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name fiji3 Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu Apr 26 10:17:55 EDT 2007 x86_64 x86_64 Alert Count 20 First Seen Wed 09 May 2007 02:18:14 PM EDT Last Seen Wed 09 May 2007 02:42:14 PM EDT Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd Line Numbers
Raw Audit Messages
avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, May 09, 2007 at 03:38:16PM -0400, eric magaoay wrote:
Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t). Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ]
I believe your / is labelled incorrectly. Mine is:
system_u:object_r:root_t
Chuck Anderson wrote:
On Wed, May 09, 2007 at 03:38:16PM -0400, eric magaoay wrote:
Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t). Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ]
I believe your / is labelled incorrectly. Mine is:
system_u:object_r:root_t
I have 2 questions: 1. Is there a justification for using root_t instead of tftpd_t? 2. Is "search" to "/" means searching for absolute root directory or root directory of tftp defined in xinetd, which is "/a" in my case?
On Thu, 2007-05-24 at 11:43 -0400, eric wrote:
Chuck Anderson wrote:
On Wed, May 09, 2007 at 03:38:16PM -0400, eric magaoay wrote:
Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t). Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ]
I believe your / is labelled incorrectly. Mine is:
system_u:object_r:root_t
I have 2 questions:
- Is there a justification for using root_t instead of tftpd_t?
root_t specifically exists to label the / directory of the system, not the root of the directory you are exporting over tftp. Its not specific to the tftp policy. If you change the type of / to something other than root_t, then many things can go wrong, since all domains should be able to at least search /.
- Is "search" to "/" means searching for absolute root directory or
root directory of tftp defined in xinetd, which is "/a" in my case?
It means the real root directory.
selinux@lists.fedoraproject.org