October 30, 2012

TFTP Server and CentOS with SELINUX set to enforcing

Filed under: linux, SELINUX, TFTP Server — lancevermilion @ 11:11 am

I have fun trying to get figure out why I couldn’t get a simple tftp server to work on CentOS 6.3. I turned off iptables, turned on debug (added -d to EXTRAOPTIONS="" in /etc/sysconfig/xinetd), and checked /var/log/messages. I was still failing. While looking at the output of tcpdump I saw the tftp connection came in but nothing ever went back to the host requesting TFTP. I should have looked at the audit log (/var/log/audit/audit.log), but didn’t because I totally spaced it.

I guess I was thinking TFTP (in.tftpd)would have already been added to the SELINUX policy. I was wrong and found a bug ID point to this in FC11 ( I followed the instructions in the comment from that bug ID (that I have copied below) and everything worked like a charm.

Erik Auerswald 2009-10-16 03:43:36 EDT
Well, finally I’ve got TFTP write access working with SELinux in enforcing mode.

The target directory seems to have the correct context:

# semanage fcontext -a -t tftpdir_rw_t ‘/var/lib/tftpboot(/.*)?’
/usr/sbin/semanage: File context for /var/lib/tftpboot(/.*)? already defined

A file created therein (by root, the dir has 0755 permissions, owner root:root) has file context tftpdir_t. If changed to tftpdir_rw_t in.tftpd can write to it:

# touch /var/lib/tftpboot/rms.cfg
# chmod 666 /var/lib/tftpboot/rms.cfg
# ls –context /var/lib/tftpboot/
-rw-rw-rw-. root root unconfined_u:object_r:tftpdir_t:s0 rms.cfg
# chcon -t tftpdir_rw_t /var/lib/tftpboot/rms.cfg

Not knowing much about SELinux I don’t know if this a bug. It is violating the principle of least surprise for people knowing only the traditional TFTP configuration/usage, i.e. without SELinux.

The directory /var/lib/tftpboot is intended to be written by in.tftpd. The files to be written to need to be manually created and set to mode 666. The selinuxtroubleshoot output could be enhanced by mentioning ‘chcon -t tftpdir_rw_t’ for files intended to be written to. IMHO this would help the administrator new to SELinux and keep the spirit of manually allowing TFTP write access only.

[Of course directories, file owners and file permissions used by in.tftpd can be changed via commandline option. The description above fits the Fedora 11 default configuration and reflects pre-SELinux best practice.]


Create a free website or blog at