Bug 867107

Summary: SELinux is preventing /usr/sbin/in.tftpd from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: manul.sob
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:57a06aff2fd856e9347146bae233bd6b33bf6954ae936cef5a3161b1e0273684
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 15:41:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description manul.sob 2012-10-16 19:22:29 UTC 
Description of problem:
I was using a tftp server and i want to write in /home/ms/tftp but selinux doesn't allow.

Additional info:
libreport version: 2.0.14
kernel:         3.6.1-1.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/in.tftpd from using the 'dac_override' capabilities.
:
:*****  Plugin dac_override (91.4 confidence) suggests  ***********************
:
:If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
:Then turn on full auditing to get path information about the offending file and generate the error again.
:Do
:
:Turn on full auditing
:# auditctl -w /etc/shadow -p w
:Try to recreate AVC. Then execute
:# ausearch -m avc -ts recent
:If you see PATH record check ownership/permissions on file, and fix it, 
:otherwise report as a bugzilla.
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If you believe that in.tftpd should have the dac_override capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep in.tftpd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tftpd_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:tftpd_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        in.tftpd
:Source Path                   /usr/sbin/in.tftpd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           tftp-server-5.2-2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-153.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc17.x86_64 #1 SMP Wed Oct
:                              10 12:13:05 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-16 20:18:02 WEST
:Last Seen                     2012-10-16 20:18:02 WEST
:Local ID                      79b7da3c-389a-4ccb-ab88-1d3c841c6368
:
:Raw Audit Messages
:type=AVC msg=audit(1350415082.134:68): avc:  denied  { dac_override } for  pid=1256 comm="in.tftpd" capability=1  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=AVC msg=audit(1350415082.134:68): avc:  denied  { dac_read_search } for  pid=1256 comm="in.tftpd" capability=2  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1350415082.134:68): arch=x86_64 syscall=chdir success=no exit=EACCES a0=7fffbd4f8f1c a1=2062198 a2=4 a3=10 items=0 ppid=574 pid=1256 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=in.tftpd exe=/usr/sbin/in.tftpd subj=system_u:system_r:tftpd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: in.tftpd,tftpd_t,tftpd_t,capability,dac_override
:
:audit2allow
:
:#============= tftpd_t ==============
:allow tftpd_t self:capability { dac_read_search dac_override };
:
:audit2allow -R
:
:#============= tftpd_t ==============
:allow tftpd_t self:capability { dac_read_search dac_override };
:
Comment 1 manul.sob 2012-10-16 19:22:32 UTC 
Created attachment 628337 [details]
File: type
Comment 2 manul.sob 2012-10-16 19:22:36 UTC 
Created attachment 628338 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-10-17 06:49:52 UTC 
Could you do these steps

Turn on full auditing
# auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
Comment 4 manul.sob 2012-10-17 12:00:53 UTC 
Thanks for the quick reply.

It shows me this:

----
time->Wed Oct 17 12:52:41 2012
type=PATH msg=audit(1350474761.252:78): item=0 name="/home/ms/tftp"
type=CWD msg=audit(1350474761.252:78):  cwd="/"
type=SYSCALL msg=audit(1350474761.252:78): arch=c000003e syscall=80 success=no exit=-13 a0=7fff218f3f1c a1=2023198 a2=4 a3=10 items=1 ppid=629 pid=1380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=system_u:system_r:tftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350474761.252:78): avc:  denied  { dac_read_search } for  pid=1380 comm="in.tftpd" capability=2  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1350474761.252:78): avc:  denied  { dac_override } for  pid=1380 comm="in.tftpd" capability=1  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
Comment 5 Miroslav Grepl 2012-10-17 12:10:08 UTC 
It looks we should have also

tunable_policy(`tftp_home_dir',`

boolean.

We have

tunable_policy(`ftp_home_dir',`
Comment 6 manul.sob 2012-10-17 13:57:14 UTC 
I am sorry, i am not a linux expert, can you explain me what I should do?

Thanks.
Comment 7 Daniel Walsh 2012-10-18 11:17:51 UTC 
As root execute

# setsebool -P tftp_home_dir 1

And you should be all set.
Comment 8 manul.sob 2012-10-18 11:57:32 UTC 
Thanks for the reply.

The command didn't work.

# setsebool -P /home/ms/tftp 1
libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
libsemanage.dbase_llist_set: could not set record value (No such file or directory).
Could not change boolean /home/ms/tftp
Could not change policy booleans
Comment 9 Miroslav Grepl 2012-10-18 12:01:59 UTC 
We need to add

tftp_home_dir
Comment 10 Miroslav Grepl 2012-10-19 10:02:03 UTC 
Added.

commit 73835352c5459d69ff14a6460f55f41e2ce78805
Author: Miroslav Grepl <mgrepl>
Date:   Fri Oct 19 11:57:21 2012 +0200

    Add tftp_homedir boolean
Comment 11 Fedora Update System 2012-11-06 08:19:48 UTC 
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 12 Fedora Update System 2012-11-08 02:02:04 UTC 
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-12-20 15:41:08 UTC 
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.