tftp???

[Paul Howarth]

Daniel Vogel wrote:
>> I run SELinux on all my boxes, including my desktop. It's not a big 
>> hassle because the default targeted policy is aimed at the 
>> daemons,leaving normal user operations running unconfined. If you can 
>> get the daemons sorted out so that the SELinux policy matches the way 
>> you are using them, it doesn't get in the way.
>> Daniel's issue is that he is using the tftp daemon in a way not 
>> currently covered by policy. He doesn't appear to have the patience to 
>> either tweak the policy to make it work for the way he's using the 
>> system, or to raise the issue on the selinux list or in bugzilla. So 
>> SELinux is not likely to get any better for him unless someone else 
>> has the same issues and works them through, getting the necessary 
>> changes made so that everyone benefits.
> 
> 
> First just let me say that i was asking about that, wasn't me who had 
> problems with tftp.
> 
> But im not waiting for anybody to the job that belongs to me, i just 
> wont use selinux until IT works properly. (why i have to disable it on a 
> fresh install to make things work?). There are many people that just 
> turns it off or downgrade it functions to make they'r things work 
> instead of trying to fix it for 2 mainly reasons:
> 
> we'r lazy, or we don't have the time to investigate it and try to fix it.
> 
> I insist, why i have to trust on something that i have to tweak to make 
> it work properly on my computer? I mean, i don't know how to do it, will 
> take me a lot of time to learn it, so i  don't trust on my skills to do 
> it, (therefore it don't think it'll work fine), so i just prefer to shut 
> it down, or whatever, to make my services go outside.
> 
> And a last thing Paul, i think i need to know a lot more to give an 
> opinion on how things can be improved. I appreciate a lot so many ppl 
> helping others, but i don't feel the knoweledge to be one of thems.

Sorry if I caused offence. No coffee before posting this morning.

Many things need to be configured before they work to your satisfaction. 
They may have a default configuration that will work for many people, 
but lots of people need to configure, say, samba, before it will work 
nicely in their environment. SELinux is no different. The default 
configuration, as with most security-related packages, is quite 
restrictive and needs to be tweaked (e.g. using setsebool) for many 
applications. It's just a case of getting familiar with it so that you 
know how to tweak it, just like with other packages.

The default configuration of SELinux is *never* going to support upload 
in tftp, I'm pretty sure of that. But a request on fedora-selinux-list 
or in bugzilla to allow this to be enabled would probably be treated 
sympathetically.

Paul.