Bug 1315556

Summary: Documentation should include instructions to turn on cobbler_anon_write SELinux boolean.
Product: Red Hat Satellite 5 Reporter: Paul Wayper <pwayper>
Component: Docs Installation GuideAssignee: Russell Dickenson <rdickens>
Status: CLOSED CURRENTRELEASE QA Contact: Julie <juwu>
Severity: high Docs Contact:
Priority: medium    
Version: 570CC: adahms, dmacpher, rdickens
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-20 23:48:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Wayper 2016-03-08 04:10:56 UTC
Description of problem:

Satellite 5 uses cobbler to write the templates used to boot machines, including files in the /tftpboot directory.  Normally these are given the tftpdir_t type, but in earlier Satellite 5 installations they use the public_content_rw_t type.  Cobbler is unable to write to this directory in the standard SELinux policy

This access can be allowed by turning on the cobbler_anon_write SELinux boolean switch.

The Satellite 5 installation documentation should recommend turning on this boolean permanently using the command:

setsebool -P cobbler_anon_write on

Version-Release number of selected component (if applicable):

Satellite 5.7

How reproducible:

Always.

Steps to Reproduce:
1. Install Satellite 5.7 with TFTP options for PXE booting.
2. Create /tftpboot directory, give it public_content_rw_t type
3. Try to use cobbler to set up a kickstart file in /tftpboot

Actual results:

4. AVC denial message, cobbler cannot create file.

Expected results:

1a. Documentation guided user to turn SELinux boolean on.
4. Cobbler creates file, kittens frolic with joy.

Additional info:

Comment 1 Andrew Dahms 2017-07-04 09:57:38 UTC
Moving to 'NEW' and the default assignee to be triaged as the schedule allows.

Comment 3 Julie 2017-07-21 01:29:45 UTC
Hi Russell, I've merged the MR for 5.8. As requested, I will leave the 5.7 MR to you. Please feel free to move the bug to VERIFIED after you've merged the 5.7 MR.

Cheers,
Julie

Comment 6 Russell Dickenson 2017-07-21 03:48:23 UTC
Andrew,

Please republish the Satellite 5.7 Installation Guide.

Comment 7 Andrew Dahms 2017-07-22 15:13:39 UTC
Hi Russell,

Thank you for your needinfo request.

The Installation Guide for Satellite 5.7 is now queued for publication; closing.

Kind regards,

Andrew