tftp from home dir running under xinetd

Daniel J Walsh dwalsh at redhat.com
Tue Jul 5 13:16:05 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/04/2011 01:57 PM, Marcos Ortiz Valmaseda wrote:
> For that reason, you have to see the avc denials; where you can check which is the process and system calls that are been denied (xinetd or tftpd)
> 
> Which is the SELinux policy version in your machine?
> Regards
> ----- Mensaje original -----
> De: "Gene Smith" <gds at chartertn.net>
> Para: users at lists.fedoraproject.org
> CC: selinux at lists.fedoraproject.org
> Enviados: Lunes, 4 de Julio 2011 19:49:37 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
> Asunto: Re: tftp from home dir running under xinetd
> 
> Marcos Ortiz Valmaseda wrote, On 07/04/2011 01:44 PM:
>> We need the /varlog/messages or the /var/log/audit/audit.log to see what happens on the system.
>>
>> CC to selinux list too
>>
>> Try to do this:
>> 1- setenforce 0 to change to "permissive" mode
>>
>> 2- stop tftpd daemon:
>>     # service tftpd stop
> 
> Thanks, I will try all this later when I have more time. However, does 
> it matter that I don't have a running tftpd but only xinetd that 
> activates tftdp on demand?
> 
>>
>> 3- unload any rules that silently deny access
>>     # semodule -DB
>>
>> 4- check the time:
>>     # date
>>
>> 5- start the tftpd service:
>>     # service tftpd start
>>
>> 6- Then, collect all the Access Vector Cache (ACV) denials that occured since you noted the system time. For example
>>
>>     # ausearch -m avc -ts 15:00
>>
>> 7- Filter the log and try to generate a policy module using audit2allow:
>>     # grep "tftpd" /var/log/audit/audit.log | audit2allow -M tftpd
>>
>> 8- Check the tftpd.{te,.fc} files, and if you have enough with it, you can install the policy module:
>>
>>    # semodule -i tftpd.pp
>>
>> 9- Then, check if the avc denials persists
>>
>> Regards
>>
>>
>> ----- Mensaje original -----
>> De: "Gene Smith"<gds at chartertn.net>
>> Para: users at lists.fedoraproject.org
>> Enviados: Lunes, 4 de Julio 2011 18:11:51 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
>> Asunto: Re: tftp from home dir running under xinetd
>>
>> Marcos Ortiz wrote, On 07/04/2011 02:02 AM:
>>> Can you show here the error in the log?
>>> Do you have SELinux enabled in enforcing mode?
>>> Try to do this: getsetbool -a | grep tftpd to see all boolean related to
>>> this service.
>>>
>>> Regards
>>
>> $ getsebool -a | grep tftp
>> tftp_anon_write -->  off
>>
>> I have set this bool to "on" via the selinux gui and it made no
>> difference. (Also, I am not not trying to write via tftp, just read.)
>>
>> This is the error I see running with in full enforcing mode and it
>> occurs each time the remote host (a bdi2000 jtag emulator) attempts to
>> read its configuration file using tftp from the fedora box.
>>
>> Jul  4 00:36:33 wally xinetd[6013]: START: tftp pid=6706 from=192.168.1.21
>> Jul  4 00:36:33 wally in.tftpd[6706]: /home/gene/my_dir: Permission denied
>> Jul  4 00:36:33 wally xinetd[6013]: EXIT: tftp status=66 pid=6706
>> duration=0(sec)
>>
>> When I change just the tftpd process to "permissive" using the selinux
>> gui it fixes the problem.
>>
>> Note: If I put the files read by the emulator in the "standard"
>> location, /var/lib/tftpd, it works OK in full enforcing mode.
>>
>> -gene
>>
>>>
>>> On 07/04/2011 12:50 AM, Gene Smith wrote:
>>>> I can manually run a tftp server that allows access to files in a
>>>> directory under ~ with no problem. But when I try to run the server
>>>> under xinetd using the /etc/xinetd.d/tftp configuration file a
>>>> "permission denied" error shows up in /var/log/message with no
>>>> indication it is selinux related. But if I make selinux permissive for
>>>> tftpd it then works.
>>>>
>>>> Is there a quick way to configure selinux to allow this type of tftp
>>>> access (just read-only) w/o resorting to a "permissive" setting?
>>>>
>>>> Thanks,
>>>> -gene
>>>>
>>>
>>> --
>>> Marcos Luís Ortíz Valmaseda
>>>    Software Engineer (UCI)
>>>    http://marcosluis2186.posterous.com
>>>    http://twitter.com/marcosluis2186
>>>
>>
>>
> 
> 
I would like to see what context tftpd is running when launched out of
xinetd?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4TDpUACgkQrlYvE4MpobPlgACgwE6Dmiy0vrvdAV0afvrUVzp8
M6IAoLc47gC9FEzb2dLqeoqnz0LlxFjl
=HaqN
-----END PGP SIGNATURE-----

More information about the users mailing list