Bug 1129406

Summary: Need to label /var/lib/tftpboot/boot(/.*)? as cobbler_var_lib_t
Product: Red Hat Enterprise Linux 6 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.5CC: dwalsh, jhutar, mmalik, orion, parsonsa
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-25 12:49:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2014-08-12 16:51:13 UTC 
Description of problem:

cobblerd writes to /var/lib/tftpboot/boot/.  Needs permission.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-248.el6.noarch

This is also an issue in Fedora.
Comment 3 Jan Hutař 2015-01-23 18:51:49 UTC 
Hello,
I have (possibly) seen something similar. Could you please provide more info?

# rpm -q cobbler

Are there any other non-default services running on the system?

Could you please provide output of these commands? These won't touch your SELinux labelling, these are just passive checks ("-n" option):

# restorecon -vRn /var/lib/tftpboot
# restorecon -vRn /var/lib/cobbler
# restorecon -vRn /var/lib/.link_cache

Also if you could provide AVCs which appear in /var/log/audit/audit.log while you run `cobbler sync` that would help here. I'm usually getting these this way:

# sestatus
# tail -f /var/log/audit/audit.log
# cobbler sync
# kill %1

(well, this is based on assumption that `cobbler sync` is what happens when "cobblerd writes" - otherwise just do what you are used to do to make "cobblerd write")
Comment 4 Orion Poplawski 2015-01-23 19:09:05 UTC 
(In reply to Jan Hutař from comment #3)
> Hello,
> I have (possibly) seen something similar. Could you please provide more info?
> 
> # rpm -q cobbler

cobbler-2.6.7-1.el6.noarch
 
> Are there any other non-default services running on the system?

That's a pretty broad question.

> Could you please provide output of these commands? These won't touch your
> SELinux labelling, these are just passive checks ("-n" option):
> 
> # restorecon -vRn /var/lib/tftpboot

restorecon reset /var/lib/tftpboot/images2 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/images2/memtest86+-5.01 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/images2/memtest86+-5.01-x86_64 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/.link_cache/8945de45524f850431c882bfbc91a1939d3632a4 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/.link_cache/9291e6bd1bc893ea2d389d6bdc25340e9ce97a36 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/memtest/memtest86+-5.01 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/memtest/memtest86+-5.01-x86_64 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub/menu.lst context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0

You'll see that I've labeled them cobbler_var_lib_t myself to get things working.

> # restorecon -vRn /var/lib/cobbler

restorecon reset /var/lib/cobbler/webui_sessions context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/cobbler/webui_sessions/sessionid71b677fce8acd376378e2269e757269b context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/cobbler/webui_sessions/sessionidf733551deaad6a13465f8f0c1b411f4b context unconfined_u:object_r:httpd_cobbler_rw_content_t:s0->unconfined_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/cobbler/webui_sessions/sessionid9bd0651a36a1495e23516b7a4714da78 context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0

> # restorecon -vRn /var/lib/.link_cache

restorecon:  lstat(/var/lib/.link_cache) failed:  No such file or directory

but I have:

/var/www/cobbler/images/.link_cache
/var/lib/tftpboot/images/.link_cache
/var/lib/tftpboot/.link_cache

# restorecon -vRn /var/lib/tftpboot/.link_cache
restorecon reset /var/lib/tftpboot/.link_cache/8945de45524f850431c882bfbc91a1939d3632a4 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/.link_cache/9291e6bd1bc893ea2d389d6bdc25340e9ce97a36 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0

the others are silent.

> Also if you could provide AVCs which appear in /var/log/audit/audit.log
> while you run `cobbler sync` that would help here. I'm usually getting these
> this way:
> 
> # sestatus
> # tail -f /var/log/audit/audit.log
> # cobbler sync
> # kill %1
> 
> (well, this is based on assumption that `cobbler sync` is what happens when
> "cobblerd writes" - otherwise just do what you are used to do to make
> "cobblerd write")

So, I restored the labels in /var/lib to the defaults and tried to reproduce, but now I'm not seeing any trouble.

selinux-policy-3.7.19-260.el6_6.2.noarch

I'll run this way for a while and see if a come across any problems.
Comment 5 Orion Poplawski 2015-01-23 19:14:55 UTC 
Looks like it may be addressed in that policy.  Although when cobbler sync runs it creates files in /var/lib/tftpboot/boot with context cobbler_var_t that restorecond wants to reset to tftpdir_rw_t:

# restorecon -r -v -n /var/lib/
restorecon reset /var/lib/tftpboot/boot context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub/menu.lst context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0
Comment 6 Orion Poplawski 2015-01-23 19:24:39 UTC 
cobbler appears to create and use the following directories in tftpboot:

/var/lib/tftpboot/boot
/var/lib/tftpboot/etc
/var/lib/tftpboot/grub
/var/lib/tftpboot/images
/var/lib/tftpboot/images2
/var/lib/tftpboot/ppc
/var/lib/tftpboot/pxelinux.cfg
/var/lib/tftpboot/s390x

pxelinux.cfg is the standard syslinux location, but the others I believe are cobbler specific.
Comment 7 Miroslav Grepl 2015-02-25 12:49:36 UTC 

*** This bug has been marked as a duplicate of bug 816309 ***