Bug 195977
Summary: | Targeted policy blocking TFTP daemon LDAP access | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ian Pilcher <arequipeno> | ||||
Component: | tftp | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5 | CC: | k.georgiou, mail | ||||
Target Milestone: | --- | Keywords: | SELinux | ||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-03-28 20:04:45 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 192555 | ||||||
Attachments: |
|
Description
Ian Pilcher
2006-06-20 02:24:29 UTC
Does it work even with the denial. IE If I just dontaudit the connection to ldap will tftp still work? (In reply to comment #1) > Does it work even with the denial. IE If I just dontaudit the connection to > ldap will tftp still work? Nope. I was using it for PXE installations (does anyone use TFTP for anything else?), and the system just sat there. Once I added 'nobody' to nss_initgroups_ignoreusers things started working again. (Now there may an argument that 'nobody' should be there by default; that's a question for the nss_ldap guys.) Yes I talked to him about this, but I believe we would have the same problem with NIS. So I think we need to allow the priv. Just kind of scary that you need to give all these privs to an app just so it can fail to find nobody. We could change tftp to not fail if initgroups fails... I am reassiging to tftp, to stop it failing if the netgroups call fails. Created attachment 131343 [details]
Suggested patch for when initgroups fails.
I think initgroups should fail over to using setgroups. That way SELinux does
not need to add lots of access.
(In reply to comment #3) > Yes I talked to him about this, but I believe we would have the same problem > with NIS. So I think we need to allow the priv. Just kind of scary that you > need to give all these privs to an app just so it can fail to find nobody. We > could change tftp to not fail if initgroups fails... > > I am reassiging to tftp, to stop it failing if the netgroups call fails. Wouldn't the same argument apply to other daemons? xfs seems to be a fit the bill -- bug #192555. Personally, I find this whole thing of network groups for local users to be a bit dicey -- something that should probably be off by default. I can confirm that this bug is fixed in selinux-policy-targeted-2.3.3-8.fc5. Closing bugs |