Re: tftp from home dir running under xinetd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/04/2011 01:57 PM, Marcos Ortiz Valmaseda wrote:
> For that reason, you have to see the avc denials; where you can check which is the process and system calls that are been denied (xinetd or tftpd)
> 
> Which is the SELinux policy version in your machine?
> Regards
> ----- Mensaje original -----
> De: "Gene Smith" <gds@xxxxxxxxxxxxx>
> Para: users@xxxxxxxxxxxxxxxxxxxxxxx
> CC: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Enviados: Lunes, 4 de Julio 2011 19:49:37 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
> Asunto: Re: tftp from home dir running under xinetd
> 
> Marcos Ortiz Valmaseda wrote, On 07/04/2011 01:44 PM:
>> We need the /varlog/messages or the /var/log/audit/audit.log to see what happens on the system.
>>
>> CC to selinux list too
>>
>> Try to do this:
>> 1- setenforce 0 to change to "permissive" mode
>>
>> 2- stop tftpd daemon:
>>     # service tftpd stop
> 
> Thanks, I will try all this later when I have more time. However, does 
> it matter that I don't have a running tftpd but only xinetd that 
> activates tftdp on demand?
> 
>>
>> 3- unload any rules that silently deny access
>>     # semodule -DB
>>
>> 4- check the time:
>>     # date
>>
>> 5- start the tftpd service:
>>     # service tftpd start
>>
>> 6- Then, collect all the Access Vector Cache (ACV) denials that occured since you noted the system time. For example
>>
>>     # ausearch -m avc -ts 15:00
>>
>> 7- Filter the log and try to generate a policy module using audit2allow:
>>     # grep "tftpd" /var/log/audit/audit.log | audit2allow -M tftpd
>>
>> 8- Check the tftpd.{te,.fc} files, and if you have enough with it, you can install the policy module:
>>
>>    # semodule -i tftpd.pp
>>
>> 9- Then, check if the avc denials persists
>>
>> Regards
>>
>>
>> ----- Mensaje original -----
>> De: "Gene Smith"<gds@xxxxxxxxxxxxx>
>> Para: users@xxxxxxxxxxxxxxxxxxxxxxx
>> Enviados: Lunes, 4 de Julio 2011 18:11:51 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
>> Asunto: Re: tftp from home dir running under xinetd
>>
>> Marcos Ortiz wrote, On 07/04/2011 02:02 AM:
>>> Can you show here the error in the log?
>>> Do you have SELinux enabled in enforcing mode?
>>> Try to do this: getsetbool -a | grep tftpd to see all boolean related to
>>> this service.
>>>
>>> Regards
>>
>> $ getsebool -a | grep tftp
>> tftp_anon_write -->  off
>>
>> I have set this bool to "on" via the selinux gui and it made no
>> difference. (Also, I am not not trying to write via tftp, just read.)
>>
>> This is the error I see running with in full enforcing mode and it
>> occurs each time the remote host (a bdi2000 jtag emulator) attempts to
>> read its configuration file using tftp from the fedora box.
>>
>> Jul  4 00:36:33 wally xinetd[6013]: START: tftp pid=6706 from=192.168.1.21
>> Jul  4 00:36:33 wally in.tftpd[6706]: /home/gene/my_dir: Permission denied
>> Jul  4 00:36:33 wally xinetd[6013]: EXIT: tftp status=66 pid=6706
>> duration=0(sec)
>>
>> When I change just the tftpd process to "permissive" using the selinux
>> gui it fixes the problem.
>>
>> Note: If I put the files read by the emulator in the "standard"
>> location, /var/lib/tftpd, it works OK in full enforcing mode.
>>
>> -gene
>>
>>>
>>> On 07/04/2011 12:50 AM, Gene Smith wrote:
>>>> I can manually run a tftp server that allows access to files in a
>>>> directory under ~ with no problem. But when I try to run the server
>>>> under xinetd using the /etc/xinetd.d/tftp configuration file a
>>>> "permission denied" error shows up in /var/log/message with no
>>>> indication it is selinux related. But if I make selinux permissive for
>>>> tftpd it then works.
>>>>
>>>> Is there a quick way to configure selinux to allow this type of tftp
>>>> access (just read-only) w/o resorting to a "permissive" setting?
>>>>
>>>> Thanks,
>>>> -gene
>>>>
>>>
>>> --
>>> Marcos Luís Ortíz Valmaseda
>>>    Software Engineer (UCI)
>>>    http://marcosluis2186.posterous.com
>>>    http://twitter.com/marcosluis2186
>>>
>>
>>
> 
> 
I would like to see what context tftpd is running when launched out of
xinetd?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4TDpUACgkQrlYvE4MpobPlgACgwE6Dmiy0vrvdAV0afvrUVzp8
M6IAoLc47gC9FEzb2dLqeoqnz0LlxFjl
=HaqN
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux