Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: currently Fedora Core 2,3&5 and Kubuntu 6.10
Posts: 7
Rep:
how do I allow all TFTP in selinux?
I want to use selinux and I want to allow all TFTP to my Fedora Core 5 box. It is a TFTP server. The Fedora box's linux firewall is set to allow incoming on port UDP:69. However selinux is blocking me. Here's some selinux deny messages straight from /var/log/messages:
Feb 26 11:03:04 FedoraCore5PC kernel: audit(1172509384.505:66): avc: granted { setenforce } for pid=2681 comm="setenforce" scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security
Feb 26 11:04:01 FedoraCore5PC kernel: audit(1172509441.189:67): avc: granted { setenforce } for pid=2686 comm="setenforce" scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security
Feb 26 11:58:29 FedoraCore5PC kernel: audit(1172512709.045:2): avc: denied { write } for pid=1889 comm="in.tftpd" name="tftproot" dev=dm-0 ino=978260 scontext=system_u:system_r:tftpd_t:s0 tcontext=user_u:object_r:root_t:s0 tclass=dir
I've been searching the web for a while now and though I've tried things I end up with other issues. My most recent failure was info I got on a Fedora selinux FAQ, it said to use audit2allow, checkmodule, and semodule_package, however my semodule_package line always fails, see below:
[root@FedoraCore5PC ~]# semodule_package -o local.pp -m local.mod
libsepol.policydb_read: policydb module version 6 does not match my version range 4-5
semodule_package: Error while reading policy module from local.mod
So what is the easiest way to tell selinux to allow in.tftp and all TFTP traffic to do everything TFTP?
]# semodule_package -o local.pp -m local.mod libsepol.policydb_read: policydb module version 6 does not match my version range 4-5 semodule_package: Error while reading policy module from local.mod
Looks like the policy server is more recent than the kernel. See if a kernel upgrade helps.
denied { write } for pid=1889 comm="in.tftpd" name="tftproot" dev=dm-0 ino=978260 scontext=system_u:system_r:tftpd_t:s0 tcontext=user_ubject_r:root_t:s0 tclass=dir
Try this: locate your /etc/selinux/targetted/src/policy/domains/tftpd.te (backup and), then isolate the tftp "AVC denied" messages to say "/tmp/avc_tftp", then run "audit2allow < /tmp/avc_tftp >> /etc/selinux/targetted/src/policy/domains/tftpd.te", and then run "make -C /etc/selinux/targetted/src/policy load". YMMV(VM).
It's less hard dealing with policy problems in FC6 BTW.
So what is the easiest way to tell selinux to allow in.tftp and all TFTP traffic to do everything TFTP?
Dunno. Just see what you encounter and add that to the current policy I think.
Distribution: currently Fedora Core 2,3&5 and Kubuntu 6.10
Posts: 7
Original Poster
Rep:
I have a /etc/selinux/targeted directory but I don't have an /etc/selinux/targeted/src directory. It's a slow, small drive box so it doesn't have any source rpms.
Distribution: currently Fedora Core 2,3&5 and Kubuntu 6.10
Posts: 7
Original Poster
Rep:
I downloaded and unpackaged the selinux-policy-2.2.23-15.src.rpm however this still did not give me the /etc/selinux/targeted/src directory. Instead I found a /usr/src/redhat/SOURCES/serefpolicy-2.2.23.tgz file and untarred this (note I'm not sure if this directory came from the just installed SRC RPM or if it had always been there). Then I had a /usr/src/redhat/SOURCES/serefpolicy-2.2.23/policy/modules/services/tftpd.te file. So with my logged selinux TFTP deny messages (grepped from /var/log/messages) in /tmp/avcs ran the following:
Distribution: currently Fedora Core 2,3&5 and Kubuntu 6.10
Posts: 7
Original Poster
Rep:
I took a different route, but now have a different problem. I decided to go a different route by fixing the version mismatch error (policydb module version 6 does not match my version range 4-5) in my original post. I fixed this by finding the FC5 update RPM named policycoreutils-1.30.10-2.fc5. This allowed me to successfully create a local.pp file using audit2allow. However now the very last step of using semodule -i is failing. Anyone have a good idea where to go from here? Here is what I am running and here is the error that is stopping me:
# semodule -i local.pp
libsepol.expand_terule_helper: duplicate TE rule for initrc_t insmod_exec_t:process insmod_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.