tftp from home dir running under xinetd

Gene Smith gds at chartertn.net
Thu Jul 7 04:22:40 UTC 2011 

Marcos Ortiz Valmaseda wrote, On 07/04/2011 01:57 PM:
> For that reason, you have to see the avc denials; where you can check which is the process and system calls that are been denied (xinetd or tftpd)
>
> Which is the SELinux policy version in your machine?
> Regards
> ----- Mensaje original -----
> De: "Gene Smith"<gds at chartertn.net>
> Para: users at lists.fedoraproject.org
> CC: selinux at lists.fedoraproject.org
> Enviados: Lunes, 4 de Julio 2011 19:49:37 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
> Asunto: Re: tftp from home dir running under xinetd
>
> Marcos Ortiz Valmaseda wrote, On 07/04/2011 01:44 PM:
>> We need the /varlog/messages or the /var/log/audit/audit.log to see what happens on the system.
>>
>> CC to selinux list too
>>
>> Try to do this:
>> 1- setenforce 0 to change to "permissive" mode
>>
>> 2- stop tftpd daemon:
>>      # service tftpd stop
>
> Thanks, I will try all this later when I have more time. However, does
> it matter that I don't have a running tftpd but only xinetd that
> activates tftdp on demand?

I'll answer this myself: tftpd may or may not be running since xinetd 
keeps it running for a minimum of 900 sec by default.
>
>>
>> 3- unload any rules that silently deny access
>>      # semodule -DB
>>
>> 4- check the time:
>>      # date
>>
>> 5- start the tftpd service:
>>      # service tftpd start

Actually, here I just run "tftp localhost" and do "get" command to 
retrieve a file. This causes inetd to run the tftpd for a minimum of 900 
second time period. The files in my ~ area is now accessible with tftp.

>>
>> 6- Then, collect all the Access Vector Cache (ACV) denials that occured since you noted the system time. For example
>>
>>      # ausearch -m avc -ts 15:00

This seems to just show the log with timestamps. The raw log text seems 
to have unreadable timestamps.

>>
>> 7- Filter the log and try to generate a policy module using audit2allow:
>>      # grep "tftpd" /var/log/audit/audit.log | audit2allow -M tftpd
>>
>> 8- Check the tftpd.{te,.fc} files, and if you have enough with it, you can install the policy module:
>>
>>     # semodule -i tftpd.pp
>>
>> 9- Then, check if the avc denials persists
>>
>> Regards
>>

Thanks! This procedure fixed the problem. Actually, I think I did 
something similar to this as directed by the gui "troubleshooter" but it 
didn't seem to work or else I just did something wrong. (One other note: 
all commands above have to be run as root or use sudo.) Also, checked to 
make sure the new "policy" survives a reboot and it does.

More information about the users mailing list