Description of problem: The cobbler set a wrong selinux type for these files /var/lib/tftpboot/images/*/{vmlinuz, initrd.img}. Then we cannot get these files by tftp during provisioning new machine. > tail /var/log/audit/audit.log ... type=AVC msg=audit(1441015673.174:23842): avc: denied { read } for pid=10371 comm="in.tftpd" name="vmlinuz" dev=dm-2 ino=526460 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=file Version-Release number of selected component (if applicable): spacewalk-java-2.3.179-1.el6. cobbler-loaders-1.0.3-1.el6.noarch cobbler2-2.0.11-42.el6.noarch cobbler20-2.0.11-42.el6.noarch How reproducible: 100% Steps to Reproduce: 1. get or create a new kickstart distribution (in my case fedora22_i386). 2. create a new kickstart profile with this distribution. 3. check selinux rights (in my case fedora22_i386 profile) > cd /var/lib/tftpboot/images/ > ll -Z ... drwxr-xr-x. root root system_u:object_r:cobbler_var_lib_t:s0 fedora22_i386:1:SpacewalkDefaultOrganization ... > ll -Z fedora22_i386\:1\:SpacewalkDefaultOrganization Actual results: -rw-r--r--. root root unconfined_u:object_r:spacewalk_data_t:s0 initrd.img -rw-r--r--. root root unconfined_u:object_r:spacewalk_data_t:s0 vmlinuz Expected results: -rw-r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 initrd.img -rw-r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 vmlinuz Additional info: I have a few old kickstarts from previous version of spacewalk and they are OK.
Martin, cobbler does not own vmlinuz and initrd.img images, so it also shouldn't set those files' SElinux context. So far I know, it's the responsibility of the user to provide tree path to the images and to make sure their permissions and context is properly set. Why do you think it should be cobbler to set the SElinux context for these files?
Tomas, I didn't notice that it is symlink.
This BZ closed some time during 2.5, 2.6 or 2.7. Adding to 2.7 tracking bug.