683377 – SELinux prevents pxe installation to work

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 683377 - SELinux prevents pxe installation to work

Summary: SELinux prevents pxe installation to work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	692811
TreeView+	depends on / blocked

Reported:	2011-03-09 10:03 UTC by Alex Jia
Modified:	2012-10-15 14:01 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	692811 (view as bug list)
Environment:
Last Closed:	2011-05-19 12:24:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
pxe_installation_permission_denied picture (83.01 KB, image/png) 2011-03-09 10:03 UTC, Alex Jia	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Alex Jia 2011-03-09 10:03:04 UTC

Description of problem:
SELinux prevents dnsmasq to access /var/lib/tftpboot/pxelinux.0 when enable
selinux and execute linux guest pxe installation.

Version-Release number of selected component (if applicable):
# uname -r
2.6.32-113.el6.x86_64

# rpm -q libvirt
libvirt-0.8.7-10.el6.x86_64

# rpm -q dnsmasq
dnsmasq-2.48-4.el6.x86_64

# rpm -q selinux-policy
selinux-policy-3.7.19-54.el6.noarch

# rpm -qa|grep tftp
tftp-0.49-5.1.el6.x86_64
tftp-server-0.49-5.1.el6.x86_64


How reproducible:
always (enable selinux)

Steps to Reproduce:
1. yum install tftp tftp-server
2. setup a dhcp server
3. setup a tftp server
4. start to install

1) create a tftpbr1 bridge and active it
# virsh net-list
Name                 State      Autostart
-----------------------------------------
default              active     yes       
tftpbr1              active     no   

# virsh net-dumpxml tftpbr1
<network>
  <name>tftpbr1</name>
  <uuid>201c7283-ab7e-dc51-d71d-115fc72b5485</uuid>
  <forward mode='nat'/>
  <bridge name='br1' stp='off' delay='1' />
  <mac address='52:54:00:0C:E4:25'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <tftp root='/var/lib/tftpboot' />
    <dhcp>
      <range start='192.168.100.2' end='192.168.100.254' />
      <bootp file='pxelinux.0' />
    </dhcp>
  </ip>
</network>

2) let guest point to the tftpbr1
# virsh dumpxml vr-rhel6-x86_64-kvm
<domain type='kvm'>
  <name>vr-rhel6-x86_64-kvm</name>
  ......
  <os>
    <type arch='x86_64' machine='rhel6.1.0'>hvm</type>
    <boot dev='network'/>
  </os>
  ......
      <interface type='network'>
      <mac address='52:54:00:d1:ea:3a'/>
      <source network='tftpbr1'/>
      <model type='rtl8139'/>
    </interface>
  ......

3) setup a tftp server
# wget -P /var/lib/tftpboot
http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/vmlinuz

# wget -P /var/lib/tftpboot
http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/initrd.img

# cat /var/lib/tftpboot/pxelinux.cfg/default 
DISPLAY boot.txt
DEFAULT vr-rhel6-x86_64-kvm
LABEL vr-rhel6-x86_64-kvm
     kernel vmlinuz
     append initrd=initrd.img
ks=http://home.englab.nay.redhat.com/~nzhang/http/ks-rhel6-x86_64.cfg

PROMPT 1
TIMEOUT 10

4) start to install guest
# virsh start guestname

Actual results:
TFTP cannot access /var/lib/tftpboot/pxelinux.0: Permission denied

Expected results:
support pxe installation with selinux enable

Additional info:
The dnsmasq process is labeled by dnsmasq_t, however, /var/lib/tftpboot is
labeled by tftpdir_rw_t, so dnsmasq hasn't permission to access pxelinux.0
file under the /var/lib/tftpboot.

I can resolve the issue if setup a dnsmasq r/w permission label to
/var/lib/tftpboot/pxelinux.0, for example, recursively relabel
/var/lib/tftpboot from tftpdir_rw_t to dnsmasq_var_run_t, it will be okay for
guest pxe installation
with selinux enable.

# ps -ef | grep dnsmasq | grep -v grep
nobody    2070     1  0 Feb18 ?        00:00:04 /usr/sbin/dnsmasq
--strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file=  --listen-address
192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254
--dhcp-lease-max=253 --dhcp-no-override
nobody   23456     1  0 15:44 ?        00:00:00 /usr/sbin/dnsmasq
--strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/tftpbr1.pid --conf-file=  --listen-address
192.168.100.1 --except-interface lo --dhcp-range 192.168.100.2,192.168.100.254
--dhcp-lease-max=253 --dhcp-no-override --enable-tftp --tftp-root
/var/lib/tftpboot --dhcp-boot pxelinux.0

# ps -eZ |grep dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2070 ? 00:00:04 dnsmasq
unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 23456 ? 00:00:00 dnsmasq

# ll -Z /var/lib/tftpboot/
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0
drwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz

# cat /var/log/messages
......
Mar  9 16:28:45 dhcp-65-1 kernel: type=1400 audit(1299659325.744:32411): avc: 
denied  { search } for  pid=23456 comm="dnsmasq" name="tftpboot" dev=sda8
ino=2146394 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=dir
Mar  9 16:28:45 dhcp-65-1 dnsmasq-tftp[23456]: TFTP cannot access
/var/lib/tftpboot/pxelinux.0: Permission denied
......

Comment 1 Alex Jia 2011-03-09 10:03:55 UTC

Created attachment 483143 [details]
pxe_installation_permission_denied picture

Comment 2 Daniel Walsh 2011-03-18 14:03:59 UTC

Please test with the 6.1 policy  selinux-policy-3.7.19-79.el6

This is allowed in that policy.

Comment 3 Miroslav Grepl 2011-03-18 14:23:56 UTC

Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq.

Comment 4 Alex Jia 2011-03-22 02:35:40 UTC

The bug has been verified on rhel6.1(2.6.32-120.el6.x86_64) with selinux-policy-3.7.19-79.el6.noarch, I can successfully install libvirt guest by pxe method with selinux enable, so set bug status to VERIFIED.


# rpm -qa | grep tftp
tftp-0.49-5.1.el6.x86_64
tftp-server-0.49-5.1.el6.x86_64

# ps -eZ | grep dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2068 ? 00:00:00 dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 6074 ? 00:00:00 dnsmasq

# ll -Z /var/lib/tftpboot/
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0
drwxr-xr-x. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz

Comment 5 Alex Jia 2011-03-24 02:37:36 UTC

(In reply to comment #3)
> Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq.

Hi Daniel and Miroslav,
when I default install tftp-server package on local machine, /var/lib/tfpboot is 
owned by root with system_u:object_r:var_lib_t:s0 label, I need to manually recursively change label type from var_lib_t to tftpdir_rw_t, otherwise, I still will met permission denied issue, is this a expected result?

Alex

Comment 6 Daniel Walsh 2011-03-24 18:28:16 UTC

What does 
matchpathcon /var/lib/tftpboot/ 

say?

If you run 
restorecon -R -v /var/lib/tftpboot 
does it fix the label?

What does 

rpm -qf /var/lib/tftpboot

Comment 7 Alex Jia 2011-03-25 03:00:37 UTC

(In reply to comment #6)
> What does 
> matchpathcon /var/lib/tftpboot/ 
> 
> say?
# matchpathcon /var/lib/tftpboot/ 
/var/lib/tftpboot	system_u:object_r:tftpdir_rw_t:s0

# ll -Z /var/lib/tftpboot/
-rw-rw-rw-. root root system_u:object_r:var_lib_t:s0   initrd.img
-rw-r--r--. root root system_u:object_r:var_lib_t:s0   pxelinux.0
drwxrwxrwx. root root system_u:object_r:var_lib_t:s0   pxelinux.cfg
-rw-rw-rw-. root root system_u:object_r:var_lib_t:s0   vmlinuz
> 
> If you run 
> restorecon -R -v /var/lib/tftpboot 
> does it fix the label?

# restorecon -R -v /var/lib/tftpboot
restorecon reset /var/lib/tftpboot/initrd.img context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/vmlinuz context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.cfg context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.cfg/default context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.0 context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
> 
> What does 
> 
> rpm -qf /var/lib/tftpboot

# rpm -qf /var/lib/tftpboot
tftp-server-0.49-5.1.el6.x86_64


And I can successfully install libvirt guest os by pxe method after running restorecon -R -v /var/lib/tftpboot, so Must I manually do this action before installing guest os? 

BTW, I renew installed tftp and tftp-server package, and I haven't changed any label for /var/lib/tftpboot directory, so I can make sure environment is clean.


Thanks,
Alex

Comment 8 Daniel Walsh 2011-03-25 11:59:57 UTC

If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server
rpm should create the directory with the correct context.  I am not sure how you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir /var/lib/tftpboot, which would cause it to be mislabeled.

You should not need to run restorecon unless you created the directory by hand.

Comment 9 Alex Jia 2011-03-25 14:25:47 UTC

(In reply to comment #8)
> If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server
> rpm should create the directory with the correct context.  I am not sure how
> you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir
> /var/lib/tftpboot, which would cause it to be mislabeled.
> 
> You should not need to run restorecon unless you created the directory by hand.

Hi Daniel,
Thanks for you comment, I am using a automate test script to run pxe installation,
as you said, the script is using mkdir to create /var/lib/tftpboot again(in fact, the directory has existed by installing tftp-server package), so it should be a root reason of the issue. I will check it again.

Alex

Comment 10 Daniel Walsh 2011-03-25 16:16:59 UTC

Just add restorecon to the test script after you create it and everything should work fine.

Comment 11 errata-xmlrpc 2011-05-19 12:24:14 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.