• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login
    1. Home
    2. cevanwells
    C
    • Profile
    • Following 0
    • Followers 0
    • Topics 0
    • Posts 1
    • Best 1
    • Controversial 0
    • Groups 0

    cevanwells

    @cevanwells

    1
    Reputation
    77
    Profile views
    1
    Posts
    0
    Followers
    0
    Following
    Joined Last Online
    cevanwells Unfollow Follow

    Best posts made by cevanwells

    • RE: Unable to connection TFTP.

      If you don’t want to disable selinux (or set to permissive) I’ve had luck under CentOS 7 using the following command:

      $ sudo setsebool -P tftp_home_dir 1

      I thought I might expound a little. To test my Fog TFTP server, I used the TFTP client in Windows. If you would like to do the same, you need to permit TFTP through your Windows firewall.

      When I first tried to pull the undionly.kpxe file using the Windows client, I was given the following error:

      PS C:\Users\jarcher> tftp -i 172.19.1.30 GET undionly.kpxe
 Connect request failed

      Looking into my /var/log/audit/audit.log file I saw the following:

      $ sudo grep tftp /var/log/audit/audit.log
...lots of other stuff here...
type=AVC msg=audit(1519225691.090:214): avc:  denied  { read } for  pid=3164 comm="in.tftpd" name="undionly.kpxe" dev="dm-0" ino=34386610 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
...also lots more here...

      if you use audit2allow you can get some hints on how to fix this error:

      $ sudo grep tftp /var/log/audit/audit.log | audit2allow -m tftpd

module tftpd 1.0;

require {
        type default_t;
        type tftpd_t;
        class file { getattr lock open read };
}

#============= tftpd_t ==============

#!!!! WARNING: 'default_t' is a base type.
#!!!! This avc can be allowed using the boolean 'tftp_home_dir'
allow tftpd_t default_t:file { getattr lock open read };

      Note, you might have to install the policycoreutils-python package to get audit2allow

      Now just run the original command I mentioned above to allow access to the files:

      $ sudo setsebool -P tftp_home_dir 1

      SELinux is still set to enforcing:

      $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

      And now the TFTP transfer works in Windows:

      PS C:\Users\jarcher> tftp -i 172.19.1.30 GET undionly.kpxe
Transfer successful: 95338 bytes in 1 second(s), 95338 bytes/s
      posted in FOG Problems
      C
      cevanwells

    Latest posts made by cevanwells

    • RE: Unable to connection TFTP.

      If you don’t want to disable selinux (or set to permissive) I’ve had luck under CentOS 7 using the following command:

      $ sudo setsebool -P tftp_home_dir 1

      I thought I might expound a little. To test my Fog TFTP server, I used the TFTP client in Windows. If you would like to do the same, you need to permit TFTP through your Windows firewall.

      When I first tried to pull the undionly.kpxe file using the Windows client, I was given the following error:

      PS C:\Users\jarcher> tftp -i 172.19.1.30 GET undionly.kpxe
 Connect request failed

      Looking into my /var/log/audit/audit.log file I saw the following:

      $ sudo grep tftp /var/log/audit/audit.log
...lots of other stuff here...
type=AVC msg=audit(1519225691.090:214): avc:  denied  { read } for  pid=3164 comm="in.tftpd" name="undionly.kpxe" dev="dm-0" ino=34386610 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
...also lots more here...

      if you use audit2allow you can get some hints on how to fix this error:

      $ sudo grep tftp /var/log/audit/audit.log | audit2allow -m tftpd

module tftpd 1.0;

require {
        type default_t;
        type tftpd_t;
        class file { getattr lock open read };
}

#============= tftpd_t ==============

#!!!! WARNING: 'default_t' is a base type.
#!!!! This avc can be allowed using the boolean 'tftp_home_dir'
allow tftpd_t default_t:file { getattr lock open read };

      Note, you might have to install the policycoreutils-python package to get audit2allow

      Now just run the original command I mentioned above to allow access to the files:

      $ sudo setsebool -P tftp_home_dir 1

      SELinux is still set to enforcing:

      $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

      And now the TFTP transfer works in Windows:

      PS C:\Users\jarcher> tftp -i 172.19.1.30 GET undionly.kpxe
Transfer successful: 95338 bytes in 1 second(s), 95338 bytes/s
      posted in FOG Problems
      C
      cevanwells