Hide Forgot
+++ This bug was initially created as a clone of Bug #1213530 +++ Description of problem: The Cobbler daemon needs to be able to write certain files to the /var/lib/tftpboot directory to support PXE booting. A recent Cobbler update adds two new sub-directories that it needs to be able to write (images2 and aarch64), so their default selinux policy needs to be updated. Version-Release number of selected component (if applicable): All How reproducible: Always Steps to Reproduce: 0. Be running with selinux in Enforcing. 1. Install a Cobbler daemon that is new enough to include aarch64 bootloader support (for example from Spacewalk 2.3 or newer upstream cobblers). 2. Get cobbler bootloaders for aarch64 (ex. by installing cobbler-loaders from Spacewalk 2.3) 3. Run "cobbler sync" to copy bootloaders into /var/lib/tftpboot 4. restorecon -R -v /var/lib/tftpboot/ 5. "cobbler sync" again. Actual results: Sync fails due to a "permission denied" error thanks to not-updated selinux contexts. Relevant two line snip from /var/log/cobbler/cobbler.log: Fri Apr 17 16:17:14 2015 - INFO | Exception occured: <type 'exceptions.IOError'> Fri Apr 17 16:17:14 2015 - INFO | Exception value: [Errno 13] Permission denied: '/var/lib/tftpboot/aarch64/grub.cfg' Expected results: Sync succeeds successfully, no selinux denial. Additional info: A "permanent workaround" for this issue is to add the selinux context definitions for the new directories by hand using semanage (provided by the policycoreutils-python rpm): # semanage fcontext -a -t cobbler_var_lib_t "/var/lib/tftpboot/aarch64(/.*)?" # semanage fcontext -a -t cobbler_var_lib_t "/var/lib/tftpboot/images2(/.*)?" # restorecon -R -v /var/lib/tftpboot/ This type of policy update is very standard for cobbler / tftpboot interaction, see for example this portion of the output of greping for tftpboot in file_contexts: # grep tftpboot /etc/selinux/targeted/contexts/files/file_contexts /var/lib/tftpboot(/.*)? system_u:object_r:tftpdir_rw_t:s0 /var/lib/tftpboot/etc(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/ppc(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/grub(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/s390x(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/images(/.*)? system_u:object_r:cobbler_var_lib_t:s0 ... We just need to do the same thing for the two new directories that cobbler needs to write, something like: /var/lib/tftpboot/aarch64(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/images2(/.*)? system_u:object_r:cobbler_var_lib_t:s0
Please attach the list of SELinux denials: # ausearch -m avc -m user_avc -m selinux_err -i -ts today
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.057:17292) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd410 a2=0x7f001fffd410 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.057:17292) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.057:17291) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd860 a2=0x7f001fffd860 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.057:17291) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17293) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f0018004590 a1=0x7f001fffd360 a2=0x7f001fffd360 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.058:17293) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17294) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f0018004590 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x0 items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.058:17294) : avc: denied { write } for pid=13774 comm=cobblerd name=bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/21/2015 09:08:56.058:17295) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f00180022e0 a1=0x7f001fffd640 a2=0x7f001fffd640 a3=0x652e34366161746f items=0 ppid=1 pid=13774 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1897 comm=cobblerd exe=/usr/bin/python subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(04/21/2015 09:08:56.058:17295) : avc: denied { getattr } for pid=13774 comm=cobblerd path=/var/lib/tftpboot/aarch64/bootaa64.efi dev=dm-0 ino=1722122 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=file
Actually I would like to see it works with semanage-fcontext to be sure.
I added Add cobler_var_lib_t labeling for /var/lib/tftpboot/boot/grub. It allows cobblerd to manage it by default. change. But how I wrote above, restorecon calling will be needed to have it working correctly.
Yes, how I wrote above, this bug is "just" about new labels. We are not able to make it working with transitions rules in RHEL-6. restorecon -Rv will be needed here.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0763.html