Re: [rhelv5-beta-list] question on tftp under selinux

Mon, 18 Sep 2006 01:03:00 -0700 

> For example, I must set the permission as '755' or will get '/tftpboot:
> Permission denied' error.

This does not make sense. SE Linux hooks are called after the traditional unix
permission checks. So, opening the perms should not affect SE Linux at all.
If SE Linux was involved, you will get avc messages. Did you get
any? "ausearch -m avc -f tftpboot".

If I set the permission of /tftpboot' as:
d--x--x--- 5 tftpd tftpd 4096 Sep 15 02:49 /tftpboot/
then, after 'tftp localhost', running "ausearch -m avc -f tftpboot"
get those message:
----
time->Tue Sep 18 07:08:08 2007
type=PATH msg=audit(1190113688.319:285): item=0 name="/tftpboot"
inode=3757281 dev=08:07 mode=040110 ouid=6969 ogid=6969 rdev=00:00
obj=system_u:object_r:tftpdir_t:s0
type=CWD msg=audit(1190113688.319:285):  cwd="/"
type=SYSCALL msg=audit(1190113688.319:285): arch=40000003 syscall=12
success=no exit=-13 a0=bfb6eea0 a1=bfb6eea0 a2=1 a3=bfb6ee89 items=1
ppid=1779 pid=2127 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="in.tftpd"
exe="/usr/sbin/in.tftpd" subj=system_u:system_r:tftpd_t:s0 key=(null)
type=AVC msg=audit(1190113688.319:285): avc:  denied  {
dac_read_search } for  pid=2127 comm="in.tftpd" capability=2
scontext=system_u:system_r:tftpd_t:s0
tcontext=system_u:system_r:tftpd_t:s0 tclass=capability
type=AVC msg=audit(1190113688.319:285): avc:  denied  { dac_override }
for  pid=2127 comm="in.tftpd" capability=1
scontext=system_u:system_r:tftpd_t:s0
tcontext=system_u:system_r:tftpd_t:s0 tclass=capability

> But in my environment, the permission of /tftpboot be mandated as '110'. So
> by now, I have to stop the selinux protecting by setsebool. Is this a bug?

There could be policy bugs, but we have to go through the normal
troubleshooting steps of looking for the avc messages. Also, the quick way to
find out if SE Linux is causing the problem is not to change the unix perms,
but to run "setenforce 0" (you can put it back by "setenforce 1" after
testing). Directory perms have nothing to do with SE Linux.


I try to use 'setsebool -P tftpd_disable_trans on' to disable SE Linux for
tftpd. After I doing this, the tftpd works correctly.

_______________________________________________
rhelv5-beta-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-beta-list

Reply via email to