Re: tftp from home dir running under xinetd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Marcos Ortiz Valmaseda wrote, On 07/04/2011 01:57 PM:
> For that reason, you have to see the avc denials; where you can check which is the process and system calls that are been denied (xinetd or tftpd)
>
> Which is the SELinux policy version in your machine?
> Regards
> ----- Mensaje original -----
> De: "Gene Smith"<gds@xxxxxxxxxxxxx>
> Para: users@xxxxxxxxxxxxxxxxxxxxxxx
> CC: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Enviados: Lunes, 4 de Julio 2011 19:49:37 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
> Asunto: Re: tftp from home dir running under xinetd
>
> Marcos Ortiz Valmaseda wrote, On 07/04/2011 01:44 PM:
>> We need the /varlog/messages or the /var/log/audit/audit.log to see what happens on the system.
>>
>> CC to selinux list too
>>
>> Try to do this:
>> 1- setenforce 0 to change to "permissive" mode
>>
>> 2- stop tftpd daemon:
>>      # service tftpd stop
>
> Thanks, I will try all this later when I have more time. However, does
> it matter that I don't have a running tftpd but only xinetd that
> activates tftdp on demand?

I'll answer this myself: tftpd may or may not be running since xinetd 
keeps it running for a minimum of 900 sec by default.
>
>>
>> 3- unload any rules that silently deny access
>>      # semodule -DB
>>
>> 4- check the time:
>>      # date
>>
>> 5- start the tftpd service:
>>      # service tftpd start

Actually, here I just run "tftp localhost" and do "get" command to 
retrieve a file. This causes inetd to run the tftpd for a minimum of 900 
second time period. The files in my ~ area is now accessible with tftp.

>>
>> 6- Then, collect all the Access Vector Cache (ACV) denials that occured since you noted the system time. For example
>>
>>      # ausearch -m avc -ts 15:00

This seems to just show the log with timestamps. The raw log text seems 
to have unreadable timestamps.

>>
>> 7- Filter the log and try to generate a policy module using audit2allow:
>>      # grep "tftpd" /var/log/audit/audit.log | audit2allow -M tftpd
>>
>> 8- Check the tftpd.{te,.fc} files, and if you have enough with it, you can install the policy module:
>>
>>     # semodule -i tftpd.pp
>>
>> 9- Then, check if the avc denials persists
>>
>> Regards
>>

Thanks! This procedure fixed the problem. Actually, I think I did 
something similar to this as directed by the gui "troubleshooter" but it 
didn't seem to work or else I just did something wrong. (One other note: 
all commands above have to be run as root or use sudo.) Also, checked to 
make sure the new "policy" survives a reboot and it does.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux