Description of problem: cobbler-check says to run: /usr/sbin/semanage fcontext -a -t public_content_t "/tftpboot/.*" which results in: /usr/sbin/semanage: File context for /tftpboot/.* already defined Version-Release number of selected component (if applicable): cobbler-2.0.10-1.el5 selinux-policy-2.4.6-279.el5_5.2 CentOS 5.5
Also: # /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*" libsepol.context_from_record: type httpd_sys_content_rw_t is not defined libsepol.context_from_record: could not create context structure libsemanage.validate_handler: invalid context system_u:object_r:httpd_sys_content_rw_t:s0 specified for /var/lib/cobbler/webui_sessions/.* [all files] libsemanage.dbase_llist_iterate: could not iterate over records /usr/sbin/semanage: Could not add file context for /var/lib/cobbler/webui_sessions/.*
Can I get a copy of your /etc/selinux/config please?
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
Are these causing any issues with the operation of cobbler or is it a documentation issue?
This bug is quite old, is it still an issue?
Well, cobbler check still says: 1 : you need to set some SELinux content rules to ensure cobbler serves content correctly in your SELinux environment, run the following: /usr/sbin/semanage fcontext -a -t public_content_t "/tftpboot/.*" && /usr/sbin/semanage fcontext -a -t public_content_t "/var/www/cobbler"/images/.* 2 : you need to set some SELinux rules if you want to use cobbler-web (an optional package), run the following: /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*" And I think it's a bad idea for a package to be requesting people to change the default labelling. cobbler seems to work fine with the default labelling.
Ok, so this looks like the same issue Robert Jacobson had reported on the mailing list (in the 2.2.1-1 release thread). Quote: One more item (bug?); I don't know if this is system-specific to RHEL/CentOS or not: Cobbler check says to run this: /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*" But in my audit log (and sealert), the context should be httpd_sys_rw_content_t NOT httpd_sys_content_rw_t as reported by "cobbler check" -------------------------------------- That should be an easy fix.
My point is that cobbler should not be asking the user to make changes to the selinux labelling at all. The needed labelling should be made part of the standard selinux policy.
Version 2.2.3-1 has been released, which corrects this issue.