If you have SELINUX
running SELINUX won't allow you to PUT or upload files to your TFTP server.
You can use "audit2allow" to allow you to create custom SELINUX policies
To use this you need to examine your servers audit logs. /var/log/audit/audit.log. This is where selinux logs errors. If you are receiving permission denied errors when uploading or puttiing files due to SELINUX have a check of this log. If SELINUX is causing the problem you will see an error log entry that looks like this:
type=AVC msg=audit(1245199930.280:31): avc: denied { write } for pid=2584 comm="in.tftpd" name="tftpboot" dev=dm-0 ino=1747009 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tftpdir_t:s0 tclass=dir
type=SYSCALL msg=audit(1245199930.280:31): arch=40000003 syscall=5 success=no exit=-13 a0=805e7a2 a1=8041 a2=1b6 a3=8041 items=0 ppid=2565 pid=2584 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=system_u:system_r:tftpd_t:s0-s0:c0.c1023 key=(null)
Using this error and the audit2allow tool we can create a policy that allows TFTP writes.
To use this you need to examine your servers audit logs. /var/log/audit/audit.log. This is where selinux logs errors. If you are receiving permission denied errors when uploading or puttiing files due to SELINUX have a check of this log. If SELINUX is causing the problem you will see an error log entry that looks like this:
type=AVC msg=audit(1245199930.280:31): avc: denied { write } for pid=2584 comm="in.tftpd" name="tftpboot" dev=dm-0 ino=1747009 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tftpdir_t:s0 tclass=dir
type=SYSCALL msg=audit(1245199930.280:31): arch=40000003 syscall=5 success=no exit=-13 a0=805e7a2 a1=8041 a2=1b6 a3=8041 items=0 ppid=2565 pid=2584 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=system_u:system_r:tftpd_t:s0-s0:c0.c1023 key=(null)
Using this error and the audit2allow tool we can create a policy that allows TFTP writes.
Step 1
Create some policy rules to load into SELINUX. Using the grep command input log entries which match our error from the audit file to the audit2allow tool.$ grep tftpd_t /var/log/audit/audit.log | audit2allow -M
tftplocal
NOTE!
The audit2allow tool isn't infallible and sometimes you might want to check the rules that are contained in the output module the above command has created aren't too relaxed. These rules are kept in a file called tftplocal.te that gets created as a result of the above command. It should look something like this:module tftplocal 1.0;
require {
type tftpd_t;
type tftpdir_t;
class dir { write };
class file { write };
}
#============= tftpd_t ==============
allow tftpd_t tftpdir_t:dir { write add_name };
allow tftpd_t tftpdir_t:file { write create };
Step 2
Import the selinux policy module created in step 1$ semodule -i tftplocal.pp
No comments:
Post a Comment