I want to use selinux and I want to allow all TFTP to my Fedora Core 5 box. It is a TFTP server. The Fedora box's linux firewall is set to allow incoming on port UDP:69. However selinux is blocking me. Here's some selinux deny messages straight from /var/log/messages:

Feb 26 11:03:04 FedoraCore5PC kernel: audit(1172509384.505:66): avc: granted { setenforce } for pid=2681 comm="setenforce" scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security
Feb 26 11:04:01 FedoraCore5PC kernel: audit(1172509441.189:67): avc: granted { setenforce } for pid=2686 comm="setenforce" scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security
Feb 26 11:58:29 FedoraCore5PC kernel: audit(1172512709.045:2): avc: denied { write } for pid=1889 comm="in.tftpd" name="tftproot" dev=dm-0 ino=978260 scontext=system_u:system_r:tftpd_t:s0 tcontext=user_u:object_r:root_t:s0 tclass=dir

I've been searching the web for a while now and though I've tried things I end up with other issues. My most recent failure was info I got on a Fedora selinux FAQ, it said to use audit2allow, checkmodule, and semodule_package, however my semodule_package line always fails, see below:

[root@FedoraCore5PC ~]# semodule_package -o local.pp -m local.mod
libsepol.policydb_read: policydb module version 6 does not match my version range 4-5
semodule_package: Error while reading policy module from local.mod

So what is the easiest way to tell selinux to allow in.tftp and all TFTP traffic to do everything TFTP?

]# semodule_package -o local.pp -m local.mod libsepol.policydb_read: policydb module version 6 does not match my version range 4-5 semodule_package: Error while reading policy module from local.mod
Looks like the policy server is more recent than the kernel. See if a kernel upgrade helps.


denied { write } for pid=1889 comm="in.tftpd" name="tftproot" dev=dm-0 ino=978260 scontext=system_u:system_r:tftpd_t:s0 tcontext=user_ubject_r:root_t:s0 tclass=dir
Try this: locate your /etc/selinux/targetted/src/policy/domains/tftpd.te (backup and), then isolate the tftp "AVC denied" messages to say "/tmp/avc_tftp", then run "audit2allow < /tmp/avc_tftp >> /etc/selinux/targetted/src/policy/domains/tftpd.te", and then run "make -C /etc/selinux/targetted/src/policy load". YMMV(VM).
It's less hard dealing with policy problems in FC6 BTW.


So what is the easiest way to tell selinux to allow in.tftp and all TFTP traffic to do everything TFTP?
Dunno. Just see what you encounter and add that to the current policy I think.

I have a /etc/selinux/targeted directory but I don't have an /etc/selinux/targeted/src directory. It's a slow, small drive box so it doesn't have any source rpms.

Here are my current selinux rpms:

# rpm -qa | grep selinux
libselinux-devel-1.29.7-1.2
libselinux-python-1.29.7-1.2
selinux-policy-targeted-2.2.23-15
libselinux-1.29.7-1.2
selinux-policy-2.2.23-15

Should I download and install the selinux-policy-2.2.23-15.src.rpm from http://download.fedora.redhat.com/pu...5/source/SRPMS ?

Yes, you need the policy source.

I downloaded and unpackaged the selinux-policy-2.2.23-15.src.rpm however this still did not give me the /etc/selinux/targeted/src directory. Instead I found a /usr/src/redhat/SOURCES/serefpolicy-2.2.23.tgz file and untarred this (note I'm not sure if this directory came from the just installed SRC RPM or if it had always been there). Then I had a /usr/src/redhat/SOURCES/serefpolicy-2.2.23/policy/modules/services/tftpd.te file. So with my logged selinux TFTP deny messages (grepped from /var/log/messages) in /tmp/avcs ran the following:

audit2allow < /tmp/avcs >> /usr/src/redhat/SOURCES/serefpolicy-2.2.23/policy/modules/services/tftpd.te

But seeing how this tftp.te file is in a different directory how should I run the compile and apply the new policy?

The SELinux Policy source RPM is *NOT* the same as a .src.rpm. A .src.rpm is for *building* an RPM.

I took a different route, but now have a different problem. I decided to go a different route by fixing the version mismatch error (policydb module version 6 does not match my version range 4-5) in my original post. I fixed this by finding the FC5 update RPM named policycoreutils-1.30.10-2.fc5. This allowed me to successfully create a local.pp file using audit2allow. However now the very last step of using semodule -i is failing. Anyone have a good idea where to go from here? Here is what I am running and here is the error that is stopping me:

# semodule -i local.pp
libsepol.expand_terule_helper: duplicate TE rule for initrc_t insmod_exec_t:process insmod_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!

chcon -t tftpdir_rw_t /tftpboot/*