On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote: > I'm currently testing the latest rawhide build (F7), and I need help in > allowing tftpd traffic (for PXE functionality). > My previous work around solution was: > setsebool -P tftpd_disable_trans=1 > But this is no longer allow under rawhide (F7). I tried running > system-config-selinux to search for any entry on tftp or tftpd, but > found none. Any other suggestion/workaround without disabling selinux? You can use audit2allow to create a policy module to allow the access and add it, e.g. audit2allow -a -M local semodule -i local.pp > > Here is the output from Selinux troubleshooter: > > Summary > SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / > (rsync_data_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/in.tftpd. It is not > expected > that this access is required by /usr/sbin/in.tftpd and this access may > signal an intrusion attempt. It is also possible that the specific > version > or configuration of the application is causing it to require additional > access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /, restorecon -v / If > this does > not work, there is currently no automatic way to allow this access. > Instead, > you can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > > Source Context user_u:system_r:tftpd_t > Target Context system_u:object_r:rsync_data_t > Target Objects / [ dir ] > Affected RPM Packages tftp-server-0.42-4 > [application]filesystem-2.4.6-1.fc7 [target] > Policy RPM selinux-policy-2.6.1-1.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name fiji3 > Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu > Apr 26 > 10:17:55 EDT 2007 x86_64 x86_64 > Alert Count 20 > First Seen Wed 09 May 2007 02:18:14 PM EDT > Last Seen Wed 09 May 2007 02:42:14 PM EDT > Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd > Line Numbers > > Raw Audit Messages > > avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 > exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" > pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 > subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir > tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0 > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
