For that reason, you have to see the avc denials; where you can check which is the process and system calls that are been denied (xinetd or tftpd)
Which is the SELinux policy version in your machine?
Regards
----- Mensaje original -----
De: "Gene Smith" <gds@xxxxxxxxxxxxx>
Para: users@xxxxxxxxxxxxxxxxxxxxxxx
CC: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Enviados: Lunes, 4 de Julio 2011 19:49:37 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
Asunto: Re: tftp from home dir running under xinetd
Marcos Ortiz Valmaseda wrote, On 07/04/2011 01:44 PM:
> We need the /varlog/messages or the /var/log/audit/audit.log to see what happens on the system.
>
> CC to selinux list too
>
> Try to do this:
> 1- setenforce 0 to change to "permissive" mode
>
> 2- stop tftpd daemon:
> # service tftpd stop
Thanks, I will try all this later when I have more time. However, does
it matter that I don't have a running tftpd but only xinetd that
activates tftdp on demand?
>
> 3- unload any rules that silently deny access
> # semodule -DB
>
> 4- check the time:
> # date
>
> 5- start the tftpd service:
> # service tftpd start
>
> 6- Then, collect all the Access Vector Cache (ACV) denials that occured since you noted the system time. For example
>
> # ausearch -m avc -ts 15:00
>
> 7- Filter the log and try to generate a policy module using audit2allow:
> # grep "tftpd" /var/log/audit/audit.log | audit2allow -M tftpd
>
> 8- Check the tftpd.{te,.fc} files, and if you have enough with it, you can install the policy module:
>
> # semodule -i tftpd.pp
>
> 9- Then, check if the avc denials persists
>
> Regards
>
>
> ----- Mensaje original -----
> De: "Gene Smith"<gds@xxxxxxxxxxxxx>
> Para: users@xxxxxxxxxxxxxxxxxxxxxxx
> Enviados: Lunes, 4 de Julio 2011 18:11:51 GMT +01:00 Amsterdam / Berlín / Berna / Roma / Estocolmo / Viena
> Asunto: Re: tftp from home dir running under xinetd
>
> Marcos Ortiz wrote, On 07/04/2011 02:02 AM:
>> Can you show here the error in the log?
>> Do you have SELinux enabled in enforcing mode?
>> Try to do this: getsetbool -a | grep tftpd to see all boolean related to
>> this service.
>>
>> Regards
>
> $ getsebool -a | grep tftp
> tftp_anon_write --> off
>
> I have set this bool to "on" via the selinux gui and it made no
> difference. (Also, I am not not trying to write via tftp, just read.)
>
> This is the error I see running with in full enforcing mode and it
> occurs each time the remote host (a bdi2000 jtag emulator) attempts to
> read its configuration file using tftp from the fedora box.
>
> Jul 4 00:36:33 wally xinetd[6013]: START: tftp pid=6706 from=192.168.1.21
> Jul 4 00:36:33 wally in.tftpd[6706]: /home/gene/my_dir: Permission denied
> Jul 4 00:36:33 wally xinetd[6013]: EXIT: tftp status=66 pid=6706
> duration=0(sec)
>
> When I change just the tftpd process to "permissive" using the selinux
> gui it fixes the problem.
>
> Note: If I put the files read by the emulator in the "standard"
> location, /var/lib/tftpd, it works OK in full enforcing mode.
>
> -gene
>
>>
>> On 07/04/2011 12:50 AM, Gene Smith wrote:
>>> I can manually run a tftp server that allows access to files in a
>>> directory under ~ with no problem. But when I try to run the server
>>> under xinetd using the /etc/xinetd.d/tftp configuration file a
>>> "permission denied" error shows up in /var/log/message with no
>>> indication it is selinux related. But if I make selinux permissive for
>>> tftpd it then works.
>>>
>>> Is there a quick way to configure selinux to allow this type of tftp
>>> access (just read-only) w/o resorting to a "permissive" setting?
>>>
>>> Thanks,
>>> -gene
>>>
>>
>> --
>> Marcos Luís Ortíz Valmaseda
>> Software Engineer (UCI)
>> http://marcosluis2186.posterous.com
>> http://twitter.com/marcosluis2186
>>
>
>
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
--
Marcos Luís Ortíz Valmaseda
Software Engineer (Large-Scaled Distributed Systems)
http://marcosluis2186.posterous.com
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
