I am having difficulty trying to config SELinux to allow my tftp server to write to /var/tftpboot/ on my Fedora 10 server. SE linux presents me with the following message from /var/log/messages:

Sep 6 19:38:31 server setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) "write" to ./brighthouse-confg (var_t).

and the audit log for SELinux explains the following

Summary:

SELinux is preventing in.tftpd (tftpd_t) "write" to ./brighthouse-confg
(tftpdir_t).

Detailed Description:

SELinux denied access requested by in.tftpd. It is not expected that this access
is required by in.tftpd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.


SELinux suggested for me to restore the default system file context and that didn't fix the issue.

I have also turned the boolean tftp_anon_write for TFTP in SELinux on as well and that has not worked either.

tftp_anon_write -> on Allow tftp to modify public files used for public file transfer services.

I have read up on various resources this weekend about SELinux and I am still confused. I have spent 2 days trying to figure this out. Has anyone encountered this issue and have an easy fix for it? All I want to do is upload and save my router's flash and config.

What did you read? (Just wondering.) Did you search LQ (http://www.linuxquestions.org/questions/search.php) for threads with "selinux preventing" in the thread title? If you would have you would have found threads like this, this or this in a matter of seconds. Also if you post a new thread and then look at the bottom of the page you might find clues in the "Similar Threads" section. Let us know if reading these threads doesn't clear up the confusion.

Thanks for the reply. I checked the searched this forum as well as fedoraforum.org although I didn't use the wording 'SElinux prevents' so I didn't get those results. I also consulted an old Fedora 8 Bible that I had and honestly it just gave a general overview of SElinux and didn't get in depth about policy creation or booleans.

I think my problem is that I don't quite understand how SElinux determines what is an unauthorized event and what is allowable. I have a feeling that SELinux doesn't like the fact that I moved the default TFTP folder from /tftpboot to /var/tftpboot.

At any rate thanks for the suggestions of the new sources, I'll check them out. When I figure this out I'll reply back in hopes to provide a resolution for others that may encounter the same issue.

I was able to resolve the issue by researching the following commands on http://www.fedoraproject.org/wiki/selinux/:

First I ran the audit2why function (sending it to the audit log) to find out the exact cause of the failure:

audit2why < /var/log/audit/audit.log

The the reason for the failure was:

Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


next I ran the Audit2allow command, which I had to research a little and read up on the man page.

cat /var/log/audit/audit.log | audit2allow -M local

and got the following output:
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

Finally I ran this command to add the new policy package.

semodule -i local.pp

At any rate, issue resolved.

Well done!