Bug 683377

Summary: SELinux prevents pxe installation to work
Product: Red Hat Enterprise Linux 6 Reporter: Alex Jia <ajia>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: dwalsh, dyuan, eblake, laine, llim, mmalik, xen-maint, yoyzhang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 692811 (view as bug list) Environment:
Last Closed: 2011-05-19 12:24:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 692811    
Attachments:
Description Flags
pxe_installation_permission_denied picture none

Description Alex Jia 2011-03-09 10:03:04 UTC 
Description of problem:
SELinux prevents dnsmasq to access /var/lib/tftpboot/pxelinux.0 when enable
selinux and execute linux guest pxe installation.

Version-Release number of selected component (if applicable):
# uname -r
2.6.32-113.el6.x86_64

# rpm -q libvirt
libvirt-0.8.7-10.el6.x86_64

# rpm -q dnsmasq
dnsmasq-2.48-4.el6.x86_64

# rpm -q selinux-policy
selinux-policy-3.7.19-54.el6.noarch

# rpm -qa|grep tftp
tftp-0.49-5.1.el6.x86_64
tftp-server-0.49-5.1.el6.x86_64


How reproducible:
always (enable selinux)

Steps to Reproduce:
1. yum install tftp tftp-server
2. setup a dhcp server
3. setup a tftp server
4. start to install

1) create a tftpbr1 bridge and active it
# virsh net-list
Name                 State      Autostart
-----------------------------------------
default              active     yes       
tftpbr1              active     no   

# virsh net-dumpxml tftpbr1
<network>
  <name>tftpbr1</name>
  <uuid>201c7283-ab7e-dc51-d71d-115fc72b5485</uuid>
  <forward mode='nat'/>
  <bridge name='br1' stp='off' delay='1' />
  <mac address='52:54:00:0C:E4:25'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <tftp root='/var/lib/tftpboot' />
    <dhcp>
      <range start='192.168.100.2' end='192.168.100.254' />
      <bootp file='pxelinux.0' />
    </dhcp>
  </ip>
</network>

2) let guest point to the tftpbr1
# virsh dumpxml vr-rhel6-x86_64-kvm
<domain type='kvm'>
  <name>vr-rhel6-x86_64-kvm</name>
  ......
  <os>
    <type arch='x86_64' machine='rhel6.1.0'>hvm</type>
    <boot dev='network'/>
  </os>
  ......
      <interface type='network'>
      <mac address='52:54:00:d1:ea:3a'/>
      <source network='tftpbr1'/>
      <model type='rtl8139'/>
    </interface>
  ......

3) setup a tftp server
# wget -P /var/lib/tftpboot
http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/vmlinuz

# wget -P /var/lib/tftpboot
http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/initrd.img

# cat /var/lib/tftpboot/pxelinux.cfg/default 
DISPLAY boot.txt
DEFAULT vr-rhel6-x86_64-kvm
LABEL vr-rhel6-x86_64-kvm
     kernel vmlinuz
     append initrd=initrd.img
ks=http://home.englab.nay.redhat.com/~nzhang/http/ks-rhel6-x86_64.cfg

PROMPT 1
TIMEOUT 10

4) start to install guest
# virsh start guestname

Actual results:
TFTP cannot access /var/lib/tftpboot/pxelinux.0: Permission denied

Expected results:
support pxe installation with selinux enable

Additional info:
The dnsmasq process is labeled by dnsmasq_t, however, /var/lib/tftpboot is
labeled by tftpdir_rw_t, so dnsmasq hasn't permission to access pxelinux.0
file under the /var/lib/tftpboot.

I can resolve the issue if setup a dnsmasq r/w permission label to
/var/lib/tftpboot/pxelinux.0, for example, recursively relabel
/var/lib/tftpboot from tftpdir_rw_t to dnsmasq_var_run_t, it will be okay for
guest pxe installation
with selinux enable.

# ps -ef | grep dnsmasq | grep -v grep
nobody    2070     1  0 Feb18 ?        00:00:04 /usr/sbin/dnsmasq
--strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file=  --listen-address
192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254
--dhcp-lease-max=253 --dhcp-no-override
nobody   23456     1  0 15:44 ?        00:00:00 /usr/sbin/dnsmasq
--strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/tftpbr1.pid --conf-file=  --listen-address
192.168.100.1 --except-interface lo --dhcp-range 192.168.100.2,192.168.100.254
--dhcp-lease-max=253 --dhcp-no-override --enable-tftp --tftp-root
/var/lib/tftpboot --dhcp-boot pxelinux.0

# ps -eZ |grep dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2070 ? 00:00:04 dnsmasq
unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 23456 ? 00:00:00 dnsmasq

# ll -Z /var/lib/tftpboot/
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0
drwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz

# cat /var/log/messages
......
Mar  9 16:28:45 dhcp-65-1 kernel: type=1400 audit(1299659325.744:32411): avc: 
denied  { search } for  pid=23456 comm="dnsmasq" name="tftpboot" dev=sda8
ino=2146394 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=dir
Mar  9 16:28:45 dhcp-65-1 dnsmasq-tftp[23456]: TFTP cannot access
/var/lib/tftpboot/pxelinux.0: Permission denied
......
Comment 1 Alex Jia 2011-03-09 10:03:55 UTC 
Created attachment 483143 [details]
pxe_installation_permission_denied picture
Comment 2 Daniel Walsh 2011-03-18 14:03:59 UTC 
Please test with the 6.1 policy  selinux-policy-3.7.19-79.el6

This is allowed in that policy.
Comment 3 Miroslav Grepl 2011-03-18 14:23:56 UTC 
Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq.
Comment 4 Alex Jia 2011-03-22 02:35:40 UTC 
The bug has been verified on rhel6.1(2.6.32-120.el6.x86_64) with selinux-policy-3.7.19-79.el6.noarch, I can successfully install libvirt guest by pxe method with selinux enable, so set bug status to VERIFIED.


# rpm -qa | grep tftp
tftp-0.49-5.1.el6.x86_64
tftp-server-0.49-5.1.el6.x86_64

# ps -eZ | grep dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2068 ? 00:00:00 dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 6074 ? 00:00:00 dnsmasq

# ll -Z /var/lib/tftpboot/
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0
drwxr-xr-x. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz
Comment 5 Alex Jia 2011-03-24 02:37:36 UTC 
(In reply to comment #3)
> Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq.

Hi Daniel and Miroslav,
when I default install tftp-server package on local machine, /var/lib/tfpboot is 
owned by root with system_u:object_r:var_lib_t:s0 label, I need to manually recursively change label type from var_lib_t to tftpdir_rw_t, otherwise, I still will met permission denied issue, is this a expected result?

Alex
Comment 6 Daniel Walsh 2011-03-24 18:28:16 UTC 
What does 
matchpathcon /var/lib/tftpboot/ 

say?

If you run 
restorecon -R -v /var/lib/tftpboot 
does it fix the label?

What does 

rpm -qf /var/lib/tftpboot
Comment 7 Alex Jia 2011-03-25 03:00:37 UTC 
(In reply to comment #6)
> What does 
> matchpathcon /var/lib/tftpboot/ 
> 
> say?
# matchpathcon /var/lib/tftpboot/ 
/var/lib/tftpboot	system_u:object_r:tftpdir_rw_t:s0

# ll -Z /var/lib/tftpboot/
-rw-rw-rw-. root root system_u:object_r:var_lib_t:s0   initrd.img
-rw-r--r--. root root system_u:object_r:var_lib_t:s0   pxelinux.0
drwxrwxrwx. root root system_u:object_r:var_lib_t:s0   pxelinux.cfg
-rw-rw-rw-. root root system_u:object_r:var_lib_t:s0   vmlinuz
> 
> If you run 
> restorecon -R -v /var/lib/tftpboot 
> does it fix the label?

# restorecon -R -v /var/lib/tftpboot
restorecon reset /var/lib/tftpboot/initrd.img context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/vmlinuz context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.cfg context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.cfg/default context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.0 context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
> 
> What does 
> 
> rpm -qf /var/lib/tftpboot

# rpm -qf /var/lib/tftpboot
tftp-server-0.49-5.1.el6.x86_64


And I can successfully install libvirt guest os by pxe method after running restorecon -R -v /var/lib/tftpboot, so Must I manually do this action before installing guest os? 

BTW, I renew installed tftp and tftp-server package, and I haven't changed any label for /var/lib/tftpboot directory, so I can make sure environment is clean.


Thanks,
Alex
Comment 8 Daniel Walsh 2011-03-25 11:59:57 UTC 
If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server
rpm should create the directory with the correct context.  I am not sure how you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir /var/lib/tftpboot, which would cause it to be mislabeled.

You should not need to run restorecon unless you created the directory by hand.
Comment 9 Alex Jia 2011-03-25 14:25:47 UTC 
(In reply to comment #8)
> If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server
> rpm should create the directory with the correct context.  I am not sure how
> you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir
> /var/lib/tftpboot, which would cause it to be mislabeled.
> 
> You should not need to run restorecon unless you created the directory by hand.

Hi Daniel,
Thanks for you comment, I am using a automate test script to run pxe installation,
as you said, the script is using mkdir to create /var/lib/tftpboot again(in fact, the directory has existed by installing tftp-server package), so it should be a root reason of the issue. I will check it again.

Alex
Comment 10 Daniel Walsh 2011-03-25 16:16:59 UTC 
Just add restorecon to the test script after you create it and everything should work fine.
Comment 11 errata-xmlrpc 2011-05-19 12:24:14 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html