Bug 867107
Summary: | SELinux is preventing /usr/sbin/in.tftpd from using the 'dac_override' capabilities. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | manul.sob | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl | ||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:57a06aff2fd856e9347146bae233bd6b33bf6954ae936cef5a3161b1e0273684 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-12-20 15:41:05 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
manul.sob
2012-10-16 19:22:29 UTC
Created attachment 628337 [details]
File: type
Created attachment 628338 [details]
File: hashmarkername
Could you do these steps Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent Thanks for the quick reply. It shows me this: ---- time->Wed Oct 17 12:52:41 2012 type=PATH msg=audit(1350474761.252:78): item=0 name="/home/ms/tftp" type=CWD msg=audit(1350474761.252:78): cwd="/" type=SYSCALL msg=audit(1350474761.252:78): arch=c000003e syscall=80 success=no exit=-13 a0=7fff218f3f1c a1=2023198 a2=4 a3=10 items=1 ppid=629 pid=1380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=system_u:system_r:tftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1350474761.252:78): avc: denied { dac_read_search } for pid=1380 comm="in.tftpd" capability=2 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1350474761.252:78): avc: denied { dac_override } for pid=1380 comm="in.tftpd" capability=1 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability It looks we should have also tunable_policy(`tftp_home_dir',` boolean. We have tunable_policy(`ftp_home_dir',` I am sorry, i am not a linux expert, can you explain me what I should do? Thanks. As root execute # setsebool -P tftp_home_dir 1 And you should be all set. Thanks for the reply. The command didn't work. # setsebool -P /home/ms/tftp 1 libsemanage.dbase_llist_set: record not found in the database (No such file or directory). libsemanage.dbase_llist_set: could not set record value (No such file or directory). Could not change boolean /home/ms/tftp Could not change policy booleans We need to add tftp_home_dir Added. commit 73835352c5459d69ff14a6460f55f41e2ce78805 Author: Miroslav Grepl <mgrepl> Date: Fri Oct 19 11:57:21 2012 +0200 Add tftp_homedir boolean selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17 Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |