Bug 1315554 - Satellite SELinux policy should allow cobbler to write to /tftpboot directory
Satellite SELinux policy should allow cobbler to write to /tftpboot directory
Status: NEW
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Jan Dobes
Red Hat Satellite QA List
Depends On:
  Show dependency treegraph
Reported: 2016-03-07 23:09 EST by Paul Wayper
Modified: 2016-06-14 07:31 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Wayper 2016-03-07 23:09:46 EST
Description of problem:

Satellite 5 uses cobbler to write the templates used to boot machines, including files in the /tftpboot directory.  Normally these are given the tftpdir_t type, but in earlier Satellite 5 installations they use the public_content_rw_t type.  Cobbler is unable to write to this directory in the standard SELinux policy

There are two ways of fixing this.

The more secure way is to allow processes of cobbler_exec_t type to write to files of tftpdir_t or public_content_rw_t type:

allow cobbler_exec_t { tftpdir_t:dir tftpdir:file public_content_rw_t:file public_content_rw_t:dir } write;

(Or something similar - I haven't tested that)

The other is for the Satellite installer to turn on the cobbler_anon_write boolean:

setsebool -P cobbler_anon_write on

Version-Release number of selected component (if applicable):

Satellite 5.7

How reproducible:


Steps to Reproduce:
1. Install Satellite 5.7 with TFTP options for PXE booting.
2. Create /tftpboot directory, give it public_content_rw_t type
3. Try to use cobbler to set up a kickstart file in /tftpboot

Actual results:

4. AVC denial message, cobbler cannot create file.

Expected results:

4. Cobbler creates file, kittens frolic with joy.

Additional info:
Comment 1 Jan Dobes 2016-03-08 07:43:31 EST
Do you have more specific scenario when this bug happens? Also I think /tftpboot directory is not default now, in my Satellite 5.7 installation I see it's configured as /var/lib/tftpboot.
Comment 3 Paul Wayper 2016-03-10 23:46:10 EST
Hi Jan,

In this case the /tftpboot directory is symlinked to /var/satellite/tftpboot:

# ls -Z / | grep tftpboot 
lrwxrwxrwx. root root unconfined_u:object_r:root_t:s0 tftpboot -> /var/satellite/tftpboot/

/var/satellite/tftpboot has the type of spacewalk_data_t.

Does that make sense?

Comment 4 Jan Dobes 2016-03-14 09:01:37 EDT
the /tftpboot symlink is custom? where does "/var/satellite/tftpboot" path come from? which version of tftp-server are you using?

I do not think we should add not default tftpboot directories into Satellite policy (we do not manage tftp policies at all)
Comment 5 Paul Wayper 2016-04-18 00:56:47 EDT
Hi Jan,

As far as I can see the /tftpboot directory is the default location for in.tftpd to fetch files from.  The /var/satellite/tftpboot directory is where Satellite's SELinux configuration expects Satellite's tftp content to be:

# semanage fcontext -l -C | grep /var/satellite/tftpboot
/var/satellite/tftpboot(/.*)?                      all files          system_u:object_r:public_content_rw_t:s0 

According to the documentation, it should be /var/lib/tftpboot - in:


"4. The DHCP server refers to the boot image file at /var/lib/tftpboot/pxelinux.0"

I think the simple way to resolve this is: what it the correct directory, and what should the SELinux context be, to allow:

* Satellite to configure PXE booting
* in.tftpd to read the tftp boot files

Thanks in advance,

Comment 6 Jan Dobes 2016-06-14 07:31:37 EDT
Problem is Satellite does not care about tfp SELinux permissions at all. tftp-server is part of RHEL. On RHEL 5 was default location /tftpboot, on RHEL 6 is default location /var/lib/tftpboot, this is hardcoded in tftp-server RPM.

Maybe there is problem in some upgrade scenario from RHEL 5 to RHEL 6 but I do not think Satellite/cobbler should maintain SELinux for tftp in this case.

Note You need to log in before you can comment on or make changes to this bug.