Bug 1213540

Summary: [RHEL7] New cobbler dir definitions needed in /var/lib/tftpboot
Product: Red Hat Enterprise Linux 7 Reporter: Stephen Herr <sherr>
Component: selinux-policyAssignee: Simon Sekidde <ssekidde>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, sherr, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-32.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1213530 Environment:
Last Closed: 2015-11-19 10:32:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1213530    
Bug Blocks: 1213534, 1213535, 1213539    

Description Stephen Herr 2015-04-20 17:52:00 UTC 
+++ This bug was initially created as a clone of Bug #1213530 +++

Description of problem:
The Cobbler daemon needs to be able to write certain files to the /var/lib/tftpboot directory to support PXE booting. A recent Cobbler update adds two new sub-directories that it needs to be able to write (images2 and aarch64), so their default selinux policy needs to be updated.

Version-Release number of selected component (if applicable):
All

How reproducible:
Always

Steps to Reproduce:
0. Be running with selinux in Enforcing.
1. Install a Cobbler daemon that is new enough to include aarch64 bootloader support (for example from Spacewalk 2.3 or newer upstream cobblers).
2. Get cobbler bootloaders for aarch64 (ex. by installing cobbler-loaders from Spacewalk 2.3)
3. Run "cobbler sync" to copy bootloaders into /var/lib/tftpboot
4. restorecon -R -v /var/lib/tftpboot/
5. "cobbler sync" again.

Actual results:
Sync fails due to a "permission denied" error thanks to not-updated selinux contexts. Relevant two line snip from /var/log/cobbler/cobbler.log:
Fri Apr 17 16:17:14 2015 - INFO | Exception occured: <type 'exceptions.IOError'>
Fri Apr 17 16:17:14 2015 - INFO | Exception value: [Errno 13] Permission denied: '/var/lib/tftpboot/aarch64/grub.cfg'

Expected results:
Sync succeeds successfully, no selinux denial.

Additional info:
A "permanent workaround" for this issue is to add the selinux context definitions for the new directories by hand using semanage (provided by the policycoreutils-python rpm):
# semanage fcontext -a -t cobbler_var_lib_t "/var/lib/tftpboot/aarch64(/.*)?"
# semanage fcontext -a -t cobbler_var_lib_t "/var/lib/tftpboot/images2(/.*)?"
# restorecon -R -v /var/lib/tftpboot/

This type of policy update is very standard for cobbler / tftpboot interaction, see for example this portion of the output of greping for tftpboot in file_contexts:
# grep tftpboot /etc/selinux/targeted/contexts/files/file_contexts
/var/lib/tftpboot(/.*)?         system_u:object_r:tftpdir_rw_t:s0
/var/lib/tftpboot/etc(/.*)?     system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/ppc(/.*)?     system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/grub(/.*)?    system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/s390x(/.*)?   system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/images(/.*)?  system_u:object_r:cobbler_var_lib_t:s0
...

We just need to do the same thing for the two new directories that cobbler needs to write, something like:
/var/lib/tftpboot/aarch64(/.*)? system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/images2(/.*)? system_u:object_r:cobbler_var_lib_t:s0
Comment 2 Milos Malik 2015-04-21 06:47:19 UTC 
Please attach the list of SELinux denials:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 3 Stephen Herr 2015-04-21 13:15:03 UTC 
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
----
type=SYSCALL msg=audit(04/21/2015 09:08:56.057:17292) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd410 a2=0x7f001fffd410 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(04/21/2015 09:08:56.057:17292) : avc:  denied  { getattr } for  pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/21/2015 09:08:56.057:17291) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd860 a2=0x7f001fffd860 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(04/21/2015 09:08:56.057:17291) : avc:  denied  { getattr } for  pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17293) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f0018004590 a1=0x7f001fffd360 a2=0x7f001fffd360 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(04/21/2015 09:08:56.058:17293) : avc:  denied  { getattr } for  pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17294) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f0018004590 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x0 items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(04/21/2015 09:08:56.058:17294) : avc:  denied  { write } for  pid=13774 comm=cobblerd name=bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17295) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd640 a2=0x7f001fffd640 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(04/21/2015 09:08:56.058:17295) : avc:  denied  { getattr } for  pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file
Comment 6 Miroslav Grepl 2015-07-08 15:54:55 UTC 
Milos,
does

# semanage fcontext -a -t cobbler_var_lib_t "/var/lib/tftpboot/boot(/.*)?"

work correctly?
Comment 7 Milos Malik 2015-07-08 20:22:04 UTC 
The AVCs mentioned in comment#5 disappears after applying comment#6.
Comment 14 errata-xmlrpc 2015-11-19 10:32:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html