LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 09-06-2009, 06:53 PM   #1
designlogicmedia
LQ Newbie
 
Registered: Sep 2008
Distribution: Fedora
Posts: 3

Rep: Reputation: 0
SELinux is preventing in.tftpd (tftpd_t) "write" to my tftp server


I am having difficulty trying to config SELinux to allow my tftp server to write to /var/tftpboot/ on my Fedora 10 server. SE linux presents me with the following message from /var/log/messages:

Sep 6 19:38:31 server setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) "write" to ./brighthouse-confg (var_t).

and the audit log for SELinux explains the following

Summary:

SELinux is preventing in.tftpd (tftpd_t) "write" to ./brighthouse-confg
(tftpdir_t).

Detailed Description:

SELinux denied access requested by in.tftpd. It is not expected that this access
is required by in.tftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.


SELinux suggested for me to restore the default system file context and that didn't fix the issue.

I have also turned the boolean tftp_anon_write for TFTP in SELinux on as well and that has not worked either.

tftp_anon_write -> on Allow tftp to modify public files used for public file transfer services.

I have read up on various resources this weekend about SELinux and I am still confused. I have spent 2 days trying to figure this out. Has anyone encountered this issue and have an easy fix for it? All I want to do is upload and save my router's flash and config.
 
Old 09-06-2009, 07:56 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
Quote:
Originally Posted by designlogicmedia View Post
I have read up on various resources this weekend about SELinux and I am still confused. I have spent 2 days trying to figure this out.
What did you read? (Just wondering.) Did you search LQ (http://www.linuxquestions.org/questions/search.php) for threads with "selinux preventing" in the thread title? If you would have you would have found threads like this, this or this in a matter of seconds. Also if you post a new thread and then look at the bottom of the page you might find clues in the "Similar Threads" section. Let us know if reading these threads doesn't clear up the confusion.
 
Old 09-07-2009, 07:48 AM   #3
designlogicmedia
LQ Newbie
 
Registered: Sep 2008
Distribution: Fedora
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the reply. I checked the searched this forum as well as fedoraforum.org although I didn't use the wording 'SElinux prevents' so I didn't get those results. I also consulted an old Fedora 8 Bible that I had and honestly it just gave a general overview of SElinux and didn't get in depth about policy creation or booleans.

I think my problem is that I don't quite understand how SElinux determines what is an unauthorized event and what is allowable. I have a feeling that SELinux doesn't like the fact that I moved the default TFTP folder from /tftpboot to /var/tftpboot.

At any rate thanks for the suggestions of the new sources, I'll check them out. When I figure this out I'll reply back in hopes to provide a resolution for others that may encounter the same issue.
 
Old 09-07-2009, 10:30 AM   #4
designlogicmedia
LQ Newbie
 
Registered: Sep 2008
Distribution: Fedora
Posts: 3

Original Poster
Rep: Reputation: 0
I was able to resolve the issue by researching the following commands on http://www.fedoraproject.org/wiki/selinux/:

First I ran the audit2why function (sending it to the audit log) to find out the exact cause of the failure:

audit2why < /var/log/audit/audit.log

The the reason for the failure was:

Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


next I ran the Audit2allow command, which I had to research a little and read up on the man page.

cat /var/log/audit/audit.log | audit2allow -M local

and got the following output:
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

Finally I ran this command to add the new policy package.

semodule -i local.pp

At any rate, issue resolved.
 
Old 09-07-2009, 11:30 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
Well done!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TFTP server returns "Error Code 0: Permission Denied" gi99 Linux - Networking 2 04-19-2011 06:17 AM
SELinux is preventing hp (hplip_t) "search" to ./dbus (system_dbusd_var_run_t). CyberJet Linux - Newbie 4 11-13-2008 12:41 PM
"selinux is preventing sshd getattr to /usr/NX/home.nx" ericcarlson Fedora 3 08-25-2008 12:04 PM
Kickstart/nfs/dhcp/tftp problem with stopping at "Freeing unused kernel memory/Write" simeruk Red Hat 0 06-10-2008 11:09 AM
"YOU" says "could not write server list to disk" dushkinup Linux - Distributions 4 07-26-2004 12:01 PM


All times are GMT -5. The time now is 11:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration