tftp from home dir running under xinetd

Marcos Ortiz Valmaseda mlortiz at uci.cu
Mon Jul 4 17:44:12 UTC 2011 

We need the /varlog/messages or the /var/log/audit/audit.log to see what happens on the system.
 
CC to selinux list too

Try to do this:
1- setenforce 0 to change to "permissive" mode

2- stop tftpd daemon:
   # service tftpd stop

3- unload any rules that silently deny access
   # semodule -DB

4- check the time:
   # date

5- start the tftpd service:
   # service tftpd start

6- Then, collect all the Access Vector Cache (ACV) denials that occured since you noted the system time. For example

   # ausearch -m avc -ts 15:00 

7- Filter the log and try to generate a policy module using audit2allow: 
   # grep "tftpd" /var/log/audit/audit.log | audit2allow -M tftpd

8- Check the tftpd.{te,.fc} files, and if you have enough with it, you can install the policy module:

  # semodule -i tftpd.pp

9- Then, check if the avc denials persists

Regards

 
----- Mensaje original -----
De: "Gene Smith" <gds at chartertn.net>
Para: users at lists.fedoraproject.org
Enviados: Lunes, 4 de Julio 2011 18:11:51 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
Asunto: Re: tftp from home dir running under xinetd

Marcos Ortiz wrote, On 07/04/2011 02:02 AM:
> Can you show here the error in the log?
> Do you have SELinux enabled in enforcing mode?
> Try to do this: getsetbool -a | grep tftpd to see all boolean related to
> this service.
>
> Regards

$ getsebool -a | grep tftp
tftp_anon_write --> off

I have set this bool to "on" via the selinux gui and it made no 
difference. (Also, I am not not trying to write via tftp, just read.)

This is the error I see running with in full enforcing mode and it 
occurs each time the remote host (a bdi2000 jtag emulator) attempts to 
read its configuration file using tftp from the fedora box.

Jul  4 00:36:33 wally xinetd[6013]: START: tftp pid=6706 from=192.168.1.21
Jul  4 00:36:33 wally in.tftpd[6706]: /home/gene/my_dir: Permission denied
Jul  4 00:36:33 wally xinetd[6013]: EXIT: tftp status=66 pid=6706 
duration=0(sec)

When I change just the tftpd process to "permissive" using the selinux 
gui it fixes the problem.

Note: If I put the files read by the emulator in the "standard" 
location, /var/lib/tftpd, it works OK in full enforcing mode.

-gene

>
> On 07/04/2011 12:50 AM, Gene Smith wrote:
>> I can manually run a tftp server that allows access to files in a
>> directory under ~ with no problem. But when I try to run the server
>> under xinetd using the /etc/xinetd.d/tftp configuration file a
>> "permission denied" error shows up in /var/log/message with no
>> indication it is selinux related. But if I make selinux permissive for
>> tftpd it then works.
>>
>> Is there a quick way to configure selinux to allow this type of tftp
>> access (just read-only) w/o resorting to a "permissive" setting?
>>
>> Thanks,
>> -gene
>>
>
> --
> Marcos Luís Ortíz Valmaseda
>   Software Engineer (UCI)
>   http://marcosluis2186.posterous.com
>   http://twitter.com/marcosluis2186
>


-- 
users mailing list
users at lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

-- 
Marcos Luís Ortíz Valmaseda
 Software Engineer (Large-Scaled Distributed Systems)
http://marcosluis2186.posterous.com

More information about the users mailing list