| Summary: | Satellite SELinux policy should allow cobbler to write to /tftpboot directory | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Paul Wayper <pwayper> |
| Component: | Installer | Assignee: | Jan Dobes <jdobes> |
| Status: | CLOSED DEFERRED | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 570 | CC: | dyordano, jalviso, jdobes, mnapolis, pwayper, tlestach |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-09 14:55:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Do you have more specific scenario when this bug happens? Also I think /tftpboot directory is not default now, in my Satellite 5.7 installation I see it's configured as /var/lib/tftpboot. Hi Jan, In this case the /tftpboot directory is symlinked to /var/satellite/tftpboot: # ls -Z / | grep tftpboot lrwxrwxrwx. root root unconfined_u:object_r:root_t:s0 tftpboot -> /var/satellite/tftpboot/ /var/satellite/tftpboot has the type of spacewalk_data_t. Does that make sense? Paul the /tftpboot symlink is custom? where does "/var/satellite/tftpboot" path come from? which version of tftp-server are you using? I do not think we should add not default tftpboot directories into Satellite policy (we do not manage tftp policies at all) Hi Jan, As far as I can see the /tftpboot directory is the default location for in.tftpd to fetch files from. The /var/satellite/tftpboot directory is where Satellite's SELinux configuration expects Satellite's tftp content to be: # semanage fcontext -l -C | grep /var/satellite/tftpboot /var/satellite/tftpboot(/.*)? all files system_u:object_r:public_content_rw_t:s0 According to the documentation, it should be /var/lib/tftpboot - in: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.6/html/Getting_Started_Guide/chap-Getting_Started_Guide-System_Provisioning.html "4. The DHCP server refers to the boot image file at /var/lib/tftpboot/pxelinux.0" I think the simple way to resolve this is: what it the correct directory, and what should the SELinux context be, to allow: * Satellite to configure PXE booting * in.tftpd to read the tftp boot files Thanks in advance, Paul Problem is Satellite does not care about tfp SELinux permissions at all. tftp-server is part of RHEL. On RHEL 5 was default location /tftpboot, on RHEL 6 is default location /var/lib/tftpboot, this is hardcoded in tftp-server RPM. Maybe there is problem in some upgrade scenario from RHEL 5 to RHEL 6 but I do not think Satellite/cobbler should maintain SELinux for tftp in this case. We have re-reviewed this bug, as part of an ongoing effort to improve Satellite/Proxy feature and bug updates, review and backlog. This is a low priority bug and has no currently open customer cases. While this bug may still valid, we do not see it being implemented prior to the EOL of the Satellite 5.x product. As such, this is being CLOSED DEFERRED. Closing now to help set customer expectations as early as possible. You are welcome to re-open this bug if needed. |
Description of problem: Satellite 5 uses cobbler to write the templates used to boot machines, including files in the /tftpboot directory. Normally these are given the tftpdir_t type, but in earlier Satellite 5 installations they use the public_content_rw_t type. Cobbler is unable to write to this directory in the standard SELinux policy There are two ways of fixing this. The more secure way is to allow processes of cobbler_exec_t type to write to files of tftpdir_t or public_content_rw_t type: allow cobbler_exec_t { tftpdir_t:dir tftpdir:file public_content_rw_t:file public_content_rw_t:dir } write; (Or something similar - I haven't tested that) The other is for the Satellite installer to turn on the cobbler_anon_write boolean: setsebool -P cobbler_anon_write on Version-Release number of selected component (if applicable): Satellite 5.7 How reproducible: Always Steps to Reproduce: 1. Install Satellite 5.7 with TFTP options for PXE booting. 2. Create /tftpboot directory, give it public_content_rw_t type 3. Try to use cobbler to set up a kickstart file in /tftpboot Actual results: 4. AVC denial message, cobbler cannot create file. Expected results: 4. Cobbler creates file, kittens frolic with joy. Additional info: