Hide Forgot
Description of problem: cobblerd writes to /var/lib/tftpboot/boot/. Needs permission. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-248.el6.noarch This is also an issue in Fedora.
Hello, I have (possibly) seen something similar. Could you please provide more info? # rpm -q cobbler Are there any other non-default services running on the system? Could you please provide output of these commands? These won't touch your SELinux labelling, these are just passive checks ("-n" option): # restorecon -vRn /var/lib/tftpboot # restorecon -vRn /var/lib/cobbler # restorecon -vRn /var/lib/.link_cache Also if you could provide AVCs which appear in /var/log/audit/audit.log while you run `cobbler sync` that would help here. I'm usually getting these this way: # sestatus # tail -f /var/log/audit/audit.log # cobbler sync # kill %1 (well, this is based on assumption that `cobbler sync` is what happens when "cobblerd writes" - otherwise just do what you are used to do to make "cobblerd write")
(In reply to Jan Hutař from comment #3) > Hello, > I have (possibly) seen something similar. Could you please provide more info? > > # rpm -q cobbler cobbler-2.6.7-1.el6.noarch > Are there any other non-default services running on the system? That's a pretty broad question. > Could you please provide output of these commands? These won't touch your > SELinux labelling, these are just passive checks ("-n" option): > > # restorecon -vRn /var/lib/tftpboot restorecon reset /var/lib/tftpboot/images2 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/images2/memtest86+-5.01 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/images2/memtest86+-5.01-x86_64 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/.link_cache/8945de45524f850431c882bfbc91a1939d3632a4 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/.link_cache/9291e6bd1bc893ea2d389d6bdc25340e9ce97a36 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/memtest/memtest86+-5.01 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/memtest/memtest86+-5.01-x86_64 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/boot context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/boot/grub context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/boot/grub/menu.lst context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 You'll see that I've labeled them cobbler_var_lib_t myself to get things working. > # restorecon -vRn /var/lib/cobbler restorecon reset /var/lib/cobbler/webui_sessions context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0 restorecon reset /var/lib/cobbler/webui_sessions/sessionid71b677fce8acd376378e2269e757269b context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0 restorecon reset /var/lib/cobbler/webui_sessions/sessionidf733551deaad6a13465f8f0c1b411f4b context unconfined_u:object_r:httpd_cobbler_rw_content_t:s0->unconfined_u:object_r:cobbler_var_lib_t:s0 restorecon reset /var/lib/cobbler/webui_sessions/sessionid9bd0651a36a1495e23516b7a4714da78 context system_u:object_r:httpd_cobbler_rw_content_t:s0->system_u:object_r:cobbler_var_lib_t:s0 > # restorecon -vRn /var/lib/.link_cache restorecon: lstat(/var/lib/.link_cache) failed: No such file or directory but I have: /var/www/cobbler/images/.link_cache /var/lib/tftpboot/images/.link_cache /var/lib/tftpboot/.link_cache # restorecon -vRn /var/lib/tftpboot/.link_cache restorecon reset /var/lib/tftpboot/.link_cache/8945de45524f850431c882bfbc91a1939d3632a4 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/.link_cache/9291e6bd1bc893ea2d389d6bdc25340e9ce97a36 context system_u:object_r:cobbler_var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 the others are silent. > Also if you could provide AVCs which appear in /var/log/audit/audit.log > while you run `cobbler sync` that would help here. I'm usually getting these > this way: > > # sestatus > # tail -f /var/log/audit/audit.log > # cobbler sync > # kill %1 > > (well, this is based on assumption that `cobbler sync` is what happens when > "cobblerd writes" - otherwise just do what you are used to do to make > "cobblerd write") So, I restored the labels in /var/lib to the defaults and tried to reproduce, but now I'm not seeing any trouble. selinux-policy-3.7.19-260.el6_6.2.noarch I'll run this way for a while and see if a come across any problems.
Looks like it may be addressed in that policy. Although when cobbler sync runs it creates files in /var/lib/tftpboot/boot with context cobbler_var_t that restorecond wants to reset to tftpdir_rw_t: # restorecon -r -v -n /var/lib/ restorecon reset /var/lib/tftpboot/boot context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/boot/grub context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/boot/grub/menu.lst context unconfined_u:object_r:cobbler_var_lib_t:s0->unconfined_u:object_r:tftpdir_rw_t:s0
cobbler appears to create and use the following directories in tftpboot: /var/lib/tftpboot/boot /var/lib/tftpboot/etc /var/lib/tftpboot/grub /var/lib/tftpboot/images /var/lib/tftpboot/images2 /var/lib/tftpboot/ppc /var/lib/tftpboot/pxelinux.cfg /var/lib/tftpboot/s390x pxelinux.cfg is the standard syslinux location, but the others I believe are cobbler specific.
*** This bug has been marked as a duplicate of bug 816309 ***