TFTP uploads failing

linux centos selinux tftp
21,981

Solution 1

Followed the info at http://grimwell.wikispaces.com/tftpd, paying particular attention to "rinse and repeat" in order to get the selinux policies in place. After a few attempts it all started working - uploading, and creation of new files.

In short:

  • make sure you have audit installed in centos otherwise SELinux may not log anything!
  • make sure your xinetd.d/tftpd has -c -v -s /tftpboot in the server args line
  • make sure that the directory tftp will be writing to has 777 permissions
  • do a tftp localhost and try to put a file in the directory
  • touch a file in the directoy, chmod 666 it, and then via tftp localhost, try and overwrite the file
  • do grep tftp /var/log/audit/audit.log | audit2allow -m tftpwrite to create a selinux policy. Make sure that the policy includes write and create lines. If not, try writing and creating again to generate alerts in the audit log and try again.
  • create an installable policy using grep tftp /var/log/audit/audit.log | audit2allow -M tftpwrite then install it using semodule -i tftpwrite.pp
  • service xinetd reload and try using tftp.

Splendid. Hope others find this useful!

Solution 2

I found another, better solution to this problem. I couldn't believe that the people who wrote the selinux policy files didn't think that people would need tftp uploads so I did some digging. I couldn't find anything on the internet that isn't already referenced here but by searching the selinux policy I was able to find another security context already on the system for tftp writes. Changing the context of /tftpboot fixed the problem.

# sesearch -a | grep tftpdir  |grep tftpd_
   allow tftpd_t tftpdir_t : file { read getattr }; 
   allow tftpd_t tftpdir_t : dir { read getattr search }; 
   allow tftpd_t tftpdir_t : lnk_file { read getattr }; 
   allow tftpd_t tftpdir_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow tftpd_t tftpdir_rw_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir }; 
   allow tftpd_t tftpdir_rw_t : lnk_file { read create getattr setattr unlink link rename }; 
# ls -Z /tftpboot/ -a
drwxrwxrwx  root root system_u:object_r:tftpdir_t      .
drwxr-xr-x  root root system_u:object_r:root_t         ..
# chcon -t tftpdir_rw_t /tftpboot
# ls -Z /tftpboot/ -a
drwxrwxrwx  root root system_u:object_r:tftpdir_rw_t   .
drwxr-xr-x  root root system_u:object_r:root_t         ..

Solution 3

Are you starting tftpd with the -s option? Some clients may be expecting this, e.g. uploading a file called foo to /foo is really intended for /tftpboot/foo on the server. Adding -s /tftpboot essentially tells the server to do a "chroot" to that directory.

Try running tftpd manually, e.g. not via xinetd, and see what the output is. You can also try running it with strace to see exactly which files it is attempting to open and which systems calls it is making.

Double check /etc/hosts.allow and /etc/hosts.deny to make sure traffic is being allowed into the server.

With respect to SELinux, depending on how your system is configured it may be logging to /var/log/audit/audit.log if you have enabled auditd. See section 5 of this page.

Share:
21,981

Related videos on Youtube

dunxd
Author by

dunxd

I'm currently freelance specialising in international connectivity and infrastructure working with clients in the humanitarian space. If your organisation struggles to work effectively because of limited internet options in far flung locations, maybe I can help. Until 2017 I worked at a large international development charity in London, as International Operations Manager. I managed a team of Regional ICT Service Managers, based in developing world countries, who kept the users happy through fixing problems, setting up great connectivity and generally making sure users could do their day jobs. I think I did a good job as a manager - some of my team went on to great things! I previously worked at the same place as International Network Systems Analyst. I looked after a bunch of ICT systems in offices in the developing world, as well as looking after systems in our HQ. I gained a lot of knowledge in that job, and the techy side competes with the people stuff in the new role, hence I still hang out here a lot. I'm passionate about the use of ICT in developing countries, both in terms of dealing with the inherent problems for ICT in those places, and using ICT as a tool for development.

Updated on September 17, 2022

Comments

  • dunxd
    dunxd almost 2 years

    I am running TFTPD via xinetd on a Centos 5.4 server. I am able to access files via tftp fine, so I know the service is running ok. However, whenever I try and upload a file I get a 0 Permission denied message.

    I have already created the file in /tftpboot and set the permissions to 666.

    My tftpd config has verbose logging (-vvvv), but all I see in my /var/log/messages is:

    START: tftp pid=20383 from=192.168.77.4

    I have seen some mention that SELinux can prevent TFTPD uploads, but I'd expect to see something in the logs. I have SELinux set in permissive mode.

    Any ideas?

    • dunxd
      dunxd over 14 years
      Ok - I've now tested running outside of xinetd using the following command: in.tftpd -l -c -v -u root -s /tftpboot This seems to work ok. However, when running with the following xinetd config, which I believe does the same thing, I get the same error with writing files.
    • dunxd
      dunxd over 14 years
      Aha - a bit of a breakthrough. I installed auditd, and things started to appear in the audit log relating to tftp. I then used grep tftp /var/log/audit/audit.log | audit2allow -M tftpwrite to generate a SELinux rule to allow tftp to write. I then applied this with semodule -i tftpwrite.pp and restarted xinetd. Now I am able to save over existing files, which gets me some of the way there. I am still unable to create new files, despite the presence of the -c flag in the config for xinetd. Would be nice to be able to create from network devices saving their config via TFTP.
    • dunxd
      dunxd over 14 years
      Nice discussion on some of this here - grimwell.wikispaces.com/tftpd
  • dunxd
    dunxd over 14 years
    Unfortunately I do have the -s flag set. Reading files works just fine, so connectivity is functioning. There is no /var/log/audit/audit.log. Not familiar with strace - I guess that is the next thing to try.
  • dunxd
    dunxd about 14 years
    Nice digging! Would it be necessary to do the same procedure for subdirectories of tftpboot?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

chcon: can't apply partial context to unlabeled file while installing nagios with SELinux
How to disable SELINUX using grub?
SElinux prevent cron from running Centos 7
How To Install A TFTP Server On Centos 4.8
Change unconfined_u to system_u is failing
Why isn't my cronjob running?
Unable to start auditd
How to make working TFTP server on CentOS 6.2
SELinux: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3"
CentOS - semanage - Delete range of ports