Re: allowing in.tftpd to read/write files?

[Per Sjoholm <Per.t.Sjoholm@xxxxxxxxxx>]

tftp is used both for booting network devices like switches, routers, 
ADSL modem  etc....
And also to let them save a configuration file  or a log file.
Often there are no alternatives for these devices.


Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck Anderson wrote:
>   
> > How do I allow tftpd to write files?  I changed the context to 
> > "system_u:object_r:public_content_rw_t:s0" but that doesn't work.  
> > Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem 
> > to be any file_contexts set up for /var/tftp.  I manually set the 
> > context to match that of /tftpboot:
> >
> > drwxr-xr-x  root root system_u:object_r:tftpdir_t      /tftpboot//
> > drwxrwsr-x  tftp tftp system_u:object_r:tftpdir_t      /var/tftp/
> >
> > -rw-rw-rw-  cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile
> >
> > type=AVC msg=audit(1192818715.964:10131): avc:  denied  { write } for  
> > pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 
> > ino=84549655 scontext=user_u:system_r:tftpd_t:s0 
> > tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
> > type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 
> > success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 
> > ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 
> > egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" 
> > exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null)
> >
> > Thanks.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >     
> I did not even know you could updload with tftp.
>
> Is this common?  I would think this is dangerous and insecure, but with
> SELinux you could make it a little more secure.
>
> tftp can only read public_content policy
>
> So we have three options.
>
> 1 Use audit2allow to generate policy to allow tftp to write to the
> files/directory you want.
>
> 2. convince me or upstream that tftp should be able to write to
> public_content_rw_t.
>
> BTW, I was at WPI this past Tuesday at the Robot Symposium.  It was
> quite good.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHGP6urlYvE4MpobMRAgHjAKDb45z3W1JULWg/8VmkXr2BReRWAwCg126n
> 4NPy8tcl5A5ztiCOJIKAP5E=
> =8i2h
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list