I can manually run a tftp server that allows access to files in a directory under ~ with no problem. But when I try to run the server under xinetd using the /etc/xinetd.d/tftp configuration file a "permission denied" error shows up in /var/log/message with no indication it is selinux related. But if I make selinux permissive for tftpd it then works.
Is there a quick way to configure selinux to allow this type of tftp access (just read-only) w/o resorting to a "permissive" setting?
Thanks, -gene
Can you show here the error in the log? Do you have SELinux enabled in enforcing mode? Try to do this: getsetbool -a | grep tftpd to see all boolean related to this service.
Regards
On 07/04/2011 12:50 AM, Gene Smith wrote:
I can manually run a tftp server that allows access to files in a directory under ~ with no problem. But when I try to run the server under xinetd using the /etc/xinetd.d/tftp configuration file a "permission denied" error shows up in /var/log/message with no indication it is selinux related. But if I make selinux permissive for tftpd it then works.
Is there a quick way to configure selinux to allow this type of tftp access (just read-only) w/o resorting to a "permissive" setting?
Thanks, -gene
Marcos Ortiz wrote, On 07/04/2011 02:02 AM:
Can you show here the error in the log? Do you have SELinux enabled in enforcing mode? Try to do this: getsetbool -a | grep tftpd to see all boolean related to this service.
Regards
$ getsebool -a | grep tftp tftp_anon_write --> off
I have set this bool to "on" via the selinux gui and it made no difference. (Also, I am not not trying to write via tftp, just read.)
This is the error I see running with in full enforcing mode and it occurs each time the remote host (a bdi2000 jtag emulator) attempts to read its configuration file using tftp from the fedora box.
Jul 4 00:36:33 wally xinetd[6013]: START: tftp pid=6706 from=192.168.1.21 Jul 4 00:36:33 wally in.tftpd[6706]: /home/gene/my_dir: Permission denied Jul 4 00:36:33 wally xinetd[6013]: EXIT: tftp status=66 pid=6706 duration=0(sec)
When I change just the tftpd process to "permissive" using the selinux gui it fixes the problem.
Note: If I put the files read by the emulator in the "standard" location, /var/lib/tftpd, it works OK in full enforcing mode.
-gene
On 07/04/2011 12:50 AM, Gene Smith wrote:
I can manually run a tftp server that allows access to files in a directory under ~ with no problem. But when I try to run the server under xinetd using the /etc/xinetd.d/tftp configuration file a "permission denied" error shows up in /var/log/message with no indication it is selinux related. But if I make selinux permissive for tftpd it then works.
Is there a quick way to configure selinux to allow this type of tftp access (just read-only) w/o resorting to a "permissive" setting?
Thanks, -gene
-- Marcos Luís Ortíz Valmaseda Software Engineer (UCI) http://marcosluis2186.posterous.com http://twitter.com/marcosluis2186
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/04/2011 01:20 AM, Gene Smith wrote:
I can manually run a tftp server that allows access to files in a directory under ~ with no problem. But when I try to run the server under xinetd using the /etc/xinetd.d/tftp configuration file a "permission denied" error shows up in /var/log/message with no indication it is selinux related. But if I make selinux permissive for tftpd it then works.
Is there a quick way to configure selinux to allow this type of tftp access (just read-only) w/o resorting to a "permissive" setting?
Thanks, -gene
Are you seeing any Messages in /var/log/audit/audit.log?
ausearch -m avc -ts recent
If not then you might be being blocked by a dontaudit rule
# semodule -DB will turn off dontaudit rules Then run your test and see if AVC messages get generated. # ausearch -m avc -ts recent
#semodule -B
Will turn back on dontaudit rules.