+++ This bug was initially created as a clone of Bug #1213530 +++ Description of problem: The Cobbler daemon needs to be able to write certain files to the /var/lib/tftpboot directory to support PXE booting. A recent Cobbler update adds two new sub-directories that it needs to be able to write (images2 and aarch64), so their default selinux policy needs to be updated. Version-Release number of selected component (if applicable): All How reproducible: Always Steps to Reproduce: 0. Be running with selinux in Enforcing. 1. Install a Cobbler daemon that is new enough to include aarch64 bootloader support (for example from Spacewalk 2.3 or newer upstream cobblers). 2. Get cobbler bootloaders for aarch64 (ex. by installing cobbler-loaders from Spacewalk 2.3) 3. Run "cobbler sync" to copy bootloaders into /var/lib/tftpboot 4. restorecon -R -v /var/lib/tftpboot/ 5. "cobbler sync" again. Actual results: Sync fails due to a "permission denied" error thanks to not-updated selinux contexts. Relevant two line snip from /var/log/cobbler/cobbler.log: Fri Apr 17 16:17:14 2015 - INFO | Exception occured: <type 'exceptions.IOError'> Fri Apr 17 16:17:14 2015 - INFO | Exception value: [Errno 13] Permission denied: '/var/lib/tftpboot/aarch64/grub.cfg' Expected results: Sync succeeds successfully, no selinux denial. Additional info: A "permanent workaround" for this issue is to add the selinux context definitions for the new directories by hand using semanage (provided by the policycoreutils-python rpm): # semanage fcontext -a -t cobbler_var_lib_t "/var/lib/tftpboot/aarch64(/.*)?" # semanage fcontext -a -t cobbler_var_lib_t "/var/lib/tftpboot/images2(/.*)?" # restorecon -R -v /var/lib/tftpboot/ This type of policy update is very standard for cobbler / tftpboot interaction, see for example this portion of the output of greping for tftpboot in file_contexts: # grep tftpboot /etc/selinux/targeted/contexts/files/file_contexts /var/lib/tftpboot(/.*)? system_u:object_r:tftpdir_rw_t:s0 /var/lib/tftpboot/etc(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/ppc(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/grub(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/s390x(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/images(/.*)? system_u:object_r:cobbler_var_lib_t:s0 ... We just need to do the same thing for the two new directories that cobbler needs to write, something like: /var/lib/tftpboot/aarch64(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/images2(/.*)? system_u:object_r:cobbler_var_lib_t:s0
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.057:17292) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd410 a2=0x7f001fffd410 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.057:17292) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.057:17291) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd860 a2=0x7f001fffd860 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.057:17291) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17293) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f0018004590 a1=0x7f001fffd360 a2=0x7f001fffd360 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.058:17293) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17294) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f0018004590 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x0 items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.058:17294) : avc: denied { write } for pid=13774 comm=cobblerd name=bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17295) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd640 a2=0x7f001fffd640 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.058:17295) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file
commit 60d3ce9b4b270dbb2e69ca166bc26bd392009014 Author: Miroslav Grepl <mgrepl> Date: Mon May 4 15:16:24 2015 +0200 Add support for new cobbler dir locations: "/var/lib/tftpboot/aarch64(/.*)?" "/var/lib/tftpboot/images2(/.*)?" and label them as cobbler_var_lib_t. (#1213535)
selinux-policy-3.13.1-126.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-126.fc22
Package selinux-policy-3.13.1-126.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-126.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-8101/selinux-policy-3.13.1-126.fc22 then log in and leave karma (feedback).
selinux-policy-3.13.1-126.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.