Bug 867107 - SELinux is preventing /usr/sbin/in.tftpd from using the 'dac_override' capabilities.
SELinux is preventing /usr/sbin/in.tftpd from using the 'dac_override' capabi...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:57a06aff2fd856e9347146bae23...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-16 15:22 EDT by manul.sob
Modified: 2012-12-20 10:41 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:41:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-16 15:22 EDT, manul.sob
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-16 15:22 EDT, manul.sob
no flags Details

  None (edit)
Description manul.sob 2012-10-16 15:22:29 EDT
Description of problem:
I was using a tftp server and i want to write in /home/ms/tftp but selinux doesn't allow.

Additional info:
libreport version: 2.0.14
kernel:         3.6.1-1.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/in.tftpd from using the 'dac_override' capabilities.
:
:*****  Plugin dac_override (91.4 confidence) suggests  ***********************
:
:If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
:Then turn on full auditing to get path information about the offending file and generate the error again.
:Do
:
:Turn on full auditing
:# auditctl -w /etc/shadow -p w
:Try to recreate AVC. Then execute
:# ausearch -m avc -ts recent
:If you see PATH record check ownership/permissions on file, and fix it, 
:otherwise report as a bugzilla.
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If you believe that in.tftpd should have the dac_override capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep in.tftpd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tftpd_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:tftpd_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        in.tftpd
:Source Path                   /usr/sbin/in.tftpd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           tftp-server-5.2-2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-153.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc17.x86_64 #1 SMP Wed Oct
:                              10 12:13:05 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-16 20:18:02 WEST
:Last Seen                     2012-10-16 20:18:02 WEST
:Local ID                      79b7da3c-389a-4ccb-ab88-1d3c841c6368
:
:Raw Audit Messages
:type=AVC msg=audit(1350415082.134:68): avc:  denied  { dac_override } for  pid=1256 comm="in.tftpd" capability=1  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=AVC msg=audit(1350415082.134:68): avc:  denied  { dac_read_search } for  pid=1256 comm="in.tftpd" capability=2  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1350415082.134:68): arch=x86_64 syscall=chdir success=no exit=EACCES a0=7fffbd4f8f1c a1=2062198 a2=4 a3=10 items=0 ppid=574 pid=1256 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=in.tftpd exe=/usr/sbin/in.tftpd subj=system_u:system_r:tftpd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: in.tftpd,tftpd_t,tftpd_t,capability,dac_override
:
:audit2allow
:
:#============= tftpd_t ==============
:allow tftpd_t self:capability { dac_read_search dac_override };
:
:audit2allow -R
:
:#============= tftpd_t ==============
:allow tftpd_t self:capability { dac_read_search dac_override };
:
Comment 1 manul.sob 2012-10-16 15:22:32 EDT
Created attachment 628337 [details]
File: type
Comment 2 manul.sob 2012-10-16 15:22:36 EDT
Created attachment 628338 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-10-17 02:49:52 EDT
Could you do these steps

Turn on full auditing
# auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
Comment 4 manul.sob 2012-10-17 08:00:53 EDT
Thanks for the quick reply.

It shows me this:

----
time->Wed Oct 17 12:52:41 2012
type=PATH msg=audit(1350474761.252:78): item=0 name="/home/ms/tftp"
type=CWD msg=audit(1350474761.252:78):  cwd="/"
type=SYSCALL msg=audit(1350474761.252:78): arch=c000003e syscall=80 success=no exit=-13 a0=7fff218f3f1c a1=2023198 a2=4 a3=10 items=1 ppid=629 pid=1380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=system_u:system_r:tftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350474761.252:78): avc:  denied  { dac_read_search } for  pid=1380 comm="in.tftpd" capability=2  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1350474761.252:78): avc:  denied  { dac_override } for  pid=1380 comm="in.tftpd" capability=1  scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tclass=capability
Comment 5 Miroslav Grepl 2012-10-17 08:10:08 EDT
It looks we should have also

tunable_policy(`tftp_home_dir',`

boolean.

We have

tunable_policy(`ftp_home_dir',`
Comment 6 manul.sob 2012-10-17 09:57:14 EDT
I am sorry, i am not a linux expert, can you explain me what I should do?

Thanks.
Comment 7 Daniel Walsh 2012-10-18 07:17:51 EDT
As root execute

# setsebool -P tftp_home_dir 1

And you should be all set.
Comment 8 manul.sob 2012-10-18 07:57:32 EDT
Thanks for the reply.

The command didn't work.

# setsebool -P /home/ms/tftp 1
libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
libsemanage.dbase_llist_set: could not set record value (No such file or directory).
Could not change boolean /home/ms/tftp
Could not change policy booleans
Comment 9 Miroslav Grepl 2012-10-18 08:01:59 EDT
We need to add

tftp_home_dir
Comment 10 Miroslav Grepl 2012-10-19 06:02:03 EDT
Added.

commit 73835352c5459d69ff14a6460f55f41e2ce78805
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Oct 19 11:57:21 2012 +0200

    Add tftp_homedir boolean
Comment 11 Fedora Update System 2012-11-06 03:19:48 EST
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 12 Fedora Update System 2012-11-07 21:02:04 EST
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-12-20 10:41:08 EST
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.