How do I allow tftpd to write files? I changed the context to "system_u:object_r:public_content_rw_t:s0" but that doesn't work. Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem to be any file_contexts set up for /var/tftp. I manually set the context to match that of /tftpboot:
drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot// drwxrwsr-x tftp tftp system_u:object_r:tftpdir_t /var/tftp/
-rw-rw-rw- cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile
type=AVC msg=audit(1192818715.964:10131): avc: denied { write } for pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 ino=84549655 scontext=user_u:system_r:tftpd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null)
Thanks.
On Fri, Oct 19, 2007 at 02:42:33PM -0400, Chuck Anderson wrote:
How do I allow tftpd to write files?
I ended up creating the following local policy. Should this type of thing be put into the standard policy package?
#cat /root/tftp.te
module tftp 1.0;
require { type public_content_t; type tftpd_t; type public_content_rw_t; class dir search; class file { read write getattr }; }
#============= tftpd_t ============== allow tftpd_t public_content_rw_t:file { write read getattr }; allow tftpd_t public_content_t:dir search; allow tftpd_t public_content_t:file { read getattr };
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chuck Anderson wrote:
How do I allow tftpd to write files? I changed the context to "system_u:object_r:public_content_rw_t:s0" but that doesn't work. Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem to be any file_contexts set up for /var/tftp. I manually set the context to match that of /tftpboot:
drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot// drwxrwsr-x tftp tftp system_u:object_r:tftpdir_t /var/tftp/
-rw-rw-rw- cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile
type=AVC msg=audit(1192818715.964:10131): avc: denied { write } for pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 ino=84549655 scontext=user_u:system_r:tftpd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null)
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I did not even know you could updload with tftp.
Is this common? I would think this is dangerous and insecure, but with SELinux you could make it a little more secure.
tftp can only read public_content policy
So we have three options.
1 Use audit2allow to generate policy to allow tftp to write to the files/directory you want.
2. convince me or upstream that tftp should be able to write to public_content_rw_t.
BTW, I was at WPI this past Tuesday at the Robot Symposium. It was quite good.
On Fri, Oct 19, 2007 at 02:59:58PM -0400, Daniel J Walsh wrote:
Is this common? I would think this is dangerous and insecure, but with SELinux you could make it a little more secure.
Well, I suppose it is somewhat less common than reading, but there are many embedded-type devices that can only get/put files via TFTP.
tftp can only read public_content policy
Strange that I had to add policy to allow it to read. Here is the sequence of events:
1. When I installed this server and set up TFTP, I changed /etc/xinetd.d/tftp to use the /var/tftp directory instead of /tftpboot:
# default: off # description: The tftp server serves files using the trivial file transfer \ # protocol. The tftp protocol is often used to boot diskless \ # workstations, download configuration files to network-aware printers, \ # and to start the installation process for some operating systems. service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -c -s /var/tftp disable = no per_source = 11 cps = 100 2 flags = IPv4 }
2. All files in /var/tftp had the default labeling (This is Fedora Core 6 BTW). According to older audit logs, this was:
user_u:object_r:var_t:s0
3. Reading worked fine with var_t files!?!
4. I tried to upload a file via TFTP, and it failed.
5. I saw the audit messages and tried relabelling everything as public_content:
chcon system_u:object_r:tftpdir_t /var/tftp chcon -R system_u:object_r:public_content_t /var/tftp/* chcon system_u:object_r:public_content_rw_t /var/tftp/select-files-to-be-writeable
6. I noticed that reading failed. So var_t files could be read, but public_content_t files could not. Strange.
7. I created local policy to allow tftp to read public_content_t and read/write public_content_rw_t.
1 Use audit2allow to generate policy to allow tftp to write to the files/directory you want.
Done. See my other message.
- convince me or upstream that tftp should be able to write to
public_content_rw_t.
I think this would be a good idea. Perhaps at the same time we should make sure /var/tftp is in file_contexts, and make sure public_content_t works for reading as well (perhaps this was already fixed in Fedora 7 or newer policy).
BTW, I was at WPI this past Tuesday at the Robot Symposium. It was quite good.
Darn. I would have been nice to meet you in person. Glad you liked it.
tftp is used both for booting network devices like switches, routers, ADSL modem etc.... And also to let them save a configuration file or a log file. Often there are no alternatives for these devices.
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chuck Anderson wrote:
How do I allow tftpd to write files? I changed the context to "system_u:object_r:public_content_rw_t:s0" but that doesn't work. Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem to be any file_contexts set up for /var/tftp. I manually set the context to match that of /tftpboot:
drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot// drwxrwsr-x tftp tftp system_u:object_r:tftpdir_t /var/tftp/
-rw-rw-rw- cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile
type=AVC msg=audit(1192818715.964:10131): avc: denied { write } for pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 ino=84549655 scontext=user_u:system_r:tftpd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null)
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I did not even know you could updload with tftp.
Is this common? I would think this is dangerous and insecure, but with SELinux you could make it a little more secure.
tftp can only read public_content policy
So we have three options.
1 Use audit2allow to generate policy to allow tftp to write to the files/directory you want.
- convince me or upstream that tftp should be able to write to
public_content_rw_t.
BTW, I was at WPI this past Tuesday at the Robot Symposium. It was quite good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHGP6urlYvE4MpobMRAgHjAKDb45z3W1JULWg/8VmkXr2BReRWAwCg126n 4NPy8tcl5A5ztiCOJIKAP5E= =8i2h -----END PGP SIGNATURE-----
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 10/20/2007 12:27 AM, Per Sjoholm wrote:
tftp is used both for booting network devices like switches, routers, ADSL modem etc.... And also to let them save a configuration file or a log file.
I use tftp almost weekly to backup the config of my Cisco and HP switches (i.e. transfer them from the devices to a storage server).
selinux@lists.fedoraproject.org