Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1129406

Summary: Need to label /var/lib/tftpboot/boot(/.*)? as cobbler_var_lib_t
Product: Red Hat Enterprise Linux 6 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.5CC: dwalsh, jhutar, mmalik, orion, parsonsa
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-25 12:49:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2014-08-12 16:51:13 UTC 
Description of problem:

cobblerd writes to /var/lib/tftpboot/boot/.  Needs permission.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-248.el6.noarch

This is also an issue in Fedora.
Comment 3 Jan Hutař 2015-01-23 18:51:49 UTC 
Hello,
I have (possibly) seen something similar. Could you please provide more info?

# rpm -q cobbler

Are there any other non-default services running on the system?

Could you please provide output of these commands? These won't touch your SELinux labelling, these are just passive checks ("-n" option):

# restorecon -vRn /var/lib/tftpboot
# restorecon -vRn /var/lib/cobbler
# restorecon -vRn /var/lib/.link_cache

Also if you could provide AVCs which appear in /var/log/audit/audit.log while you run `cobbler sync` that would help here. I'm usually getting these this way:

# sestatus
# tail -f /var/log/audit/audit.log
# cobbler sync
# kill %1

(well, this is based on assumption that `cobbler sync` is what happens when "cobblerd writes" - otherwise just do what you are used to do to make "cobblerd write")
Comment 4 Orion Poplawski 2015-01-23 19:09:05 UTC 
(In reply to Jan Hutař from comment #3)
> Hello,
> I have (possibly) seen something similar. Could you please provide more info?
> 
> # rpm -q cobbler

cobbler-2.6.7-1.el6.noarch
 
> Are there any other non-default services running on the system?

That's a pretty broad question.

> Could you please provide output of these commands? These won't touch your
> SELinux labelling, these are just passive checks ("-n" option):
> 
> # restorecon -vRn /var/lib/tftpboot

restorecon reset /var/lib/tftpboot/images2 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/images2/memtest86+-5.01 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/images2/memtest86+-5.01-x86_64 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/.link_cache/8945de45524f850431c882bfbc91a1939d3632a4 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/.link_cache/9291e6bd1bc893ea2d389d6bdc25340e9ce97a36 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/memtest/memtest86+-5.01 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/memtest/memtest86+-5.01-x86_64 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub/menu.lst context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0

You'll see that I've labeled them cobbler_var_lib_t myself to get things working.

> # restorecon -vRn /var/lib/cobbler

restorecon reset /var/lib/cobbler/webui_sessions context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/cobbler/webui_sessions/sessionid71b677fce8acd376378e2269e757269b context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/cobbler/webui_sessions/sessionidf733551deaad6a13465f8f0c1b411f4b context unconfined_u:object_r:httpd_cobbler_rw_content_t:s0->unconfined_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/cobbler/webui_sessions/sessionid9bd0651a36a1495e23516b7a4714da78 context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0

> # restorecon -vRn /var/lib/.link_cache

restorecon:  lstat(/var/lib/.link_cache) failed:  No such file or directory

but I have:

/var/www/cobbler/images/.link_cache
/var/lib/tftpboot/images/.link_cache
/var/lib/tftpboot/.link_cache

# restorecon -vRn /var/lib/tftpboot/.link_cache
restorecon reset /var/lib/tftpboot/.link_cache/8945de45524f850431c882bfbc91a1939d3632a4 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/.link_cache/9291e6bd1bc893ea2d389d6bdc25340e9ce97a36 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0

the others are silent.

> Also if you could provide AVCs which appear in /var/log/audit/audit.log
> while you run `cobbler sync` that would help here. I'm usually getting these
> this way:
> 
> # sestatus
> # tail -f /var/log/audit/audit.log
> # cobbler sync
> # kill %1
> 
> (well, this is based on assumption that `cobbler sync` is what happens when
> "cobblerd writes" - otherwise just do what you are used to do to make
> "cobblerd write")

So, I restored the labels in /var/lib to the defaults and tried to reproduce, but now I'm not seeing any trouble.

selinux-policy-3.7.19-260.el6_6.2.noarch

I'll run this way for a while and see if a come across any problems.
Comment 5 Orion Poplawski 2015-01-23 19:14:55 UTC 
Looks like it may be addressed in that policy.  Although when cobbler sync runs it creates files in /var/lib/tftpboot/boot with context cobbler_var_t that restorecond wants to reset to tftpdir_rw_t:

# restorecon -r -v -n /var/lib/
restorecon reset /var/lib/tftpboot/boot context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/boot/grub/menu.lst context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0
Comment 6 Orion Poplawski 2015-01-23 19:24:39 UTC 
cobbler appears to create and use the following directories in tftpboot:

/var/lib/tftpboot/boot
/var/lib/tftpboot/etc
/var/lib/tftpboot/grub
/var/lib/tftpboot/images
/var/lib/tftpboot/images2
/var/lib/tftpboot/ppc
/var/lib/tftpboot/pxelinux.cfg
/var/lib/tftpboot/s390x

pxelinux.cfg is the standard syslinux location, but the others I believe are cobbler specific.
Comment 7 Miroslav Grepl 2015-02-25 12:49:36 UTC 

*** This bug has been marked as a duplicate of bug 816309 ***