allowing in.tftpd to read/write files?

Fri Oct 19 20:58:57 UTC 2007

On Fri, Oct 19, 2007 at 02:59:58PM -0400, Daniel J Walsh wrote:
> Is this common?  I would think this is dangerous and insecure, but with
> SELinux you could make it a little more secure.

Well, I suppose it is somewhat less common than reading, but there are 
many embedded-type devices that can only get/put files via TFTP.

> tftp can only read public_content policy

Strange that I had to add policy to allow it to read.  Here is the 
sequence of events:

1.  When I installed this server and set up TFTP, I changed 
/etc/xinetd.d/tftp to use the /var/tftp directory instead of 
/tftpboot:

# default: off
# description: The tftp server serves files using the trivial file 
transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware 
printers, \
#       and to start the installation process for some operating 
systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -c -s /var/tftp
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

2. All files in /var/tftp had the default labeling (This is Fedora 
Core 6 BTW).  According to older audit logs, this was:

user_u:object_r:var_t:s0

3. Reading worked fine with var_t files!?!

4. I tried to upload a file via TFTP, and it failed.

5. I saw the audit messages and tried relabelling everything as 
public_content:

chcon system_u:object_r:tftpdir_t /var/tftp
chcon -R system_u:object_r:public_content_t /var/tftp/*
chcon system_u:object_r:public_content_rw_t /var/tftp/select-files-to-be-writeable

6. I noticed that reading failed.  So var_t files could be read, but 
public_content_t files could not.  Strange.

7. I created local policy to allow tftp to read public_content_t and 
read/write public_content_rw_t.

> 1 Use audit2allow to generate policy to allow tftp to write to the
> files/directory you want.

Done.  See my other message.

> 2. convince me or upstream that tftp should be able to write to
> public_content_rw_t.

I think this would be a good idea.  Perhaps at the same time we should 
make sure /var/tftp is in file_contexts, and make sure 
public_content_t works for reading as well (perhaps this was already 
fixed in Fedora 7 or newer policy).

> BTW, I was at WPI this past Tuesday at the Robot Symposium.  It was
> quite good.

Darn.  I would have been nice to meet you in person.  Glad you liked 
it.