692811 – SELinux prevents pxe installation to work

Bug 692811 - SELinux prevents pxe installation to work

Summary: SELinux prevents pxe installation to work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.7
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	683377
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-01 09:36 UTC by Alex Jia
Modified:	2012-10-15 14:01 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-2.4.6-304.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:	683377
Environment:
Last Closed:	2011-07-21 09:18:58 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1069	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-07-21 09:18:27 UTC

Description Alex Jia 2011-04-01 09:36:15 UTC

+++ This bug was initially created as a clone of Bug #683377 +++

Description of problem:
SELinux prevents dnsmasq to access /var/lib/tftpboot/pxelinux.0 when enable
selinux and execute linux guest pxe installation.

Version-Release number of selected component (if applicable):
# uname -r
2.6.32-113.el6.x86_64

# rpm -q libvirt
libvirt-0.8.7-10.el6.x86_64

# rpm -q dnsmasq
dnsmasq-2.48-4.el6.x86_64

# rpm -q selinux-policy
selinux-policy-3.7.19-54.el6.noarch

# rpm -qa|grep tftp
tftp-0.49-5.1.el6.x86_64
tftp-server-0.49-5.1.el6.x86_64


How reproducible:
always (enable selinux)

Steps to Reproduce:
1. yum install tftp tftp-server
2. setup a dhcp server
3. setup a tftp server
4. start to install

1) create a tftpbr1 bridge and active it
# virsh net-list
Name                 State      Autostart
-----------------------------------------
default              active     yes       
tftpbr1              active     no   

# virsh net-dumpxml tftpbr1
<network>
  <name>tftpbr1</name>
  <uuid>201c7283-ab7e-dc51-d71d-115fc72b5485</uuid>
  <forward mode='nat'/>
  <bridge name='br1' stp='off' delay='1' />
  <mac address='52:54:00:0C:E4:25'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <tftp root='/var/lib/tftpboot' />
    <dhcp>
      <range start='192.168.100.2' end='192.168.100.254' />
      <bootp file='pxelinux.0' />
    </dhcp>
  </ip>
</network>

2) let guest point to the tftpbr1
# virsh dumpxml vr-rhel6-x86_64-kvm
<domain type='kvm'>
  <name>vr-rhel6-x86_64-kvm</name>
  ......
  <os>
    <type arch='x86_64' machine='rhel6.1.0'>hvm</type>
    <boot dev='network'/>
  </os>
  ......
      <interface type='network'>
      <mac address='52:54:00:d1:ea:3a'/>
      <source network='tftpbr1'/>
      <model type='rtl8139'/>
    </interface>
  ......

3) setup a tftp server
# wget -P /var/lib/tftpboot
http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/vmlinuz

# wget -P /var/lib/tftpboot
http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/initrd.img

# cat /var/lib/tftpboot/pxelinux.cfg/default 
DISPLAY boot.txt
DEFAULT vr-rhel6-x86_64-kvm
LABEL vr-rhel6-x86_64-kvm
     kernel vmlinuz
     append initrd=initrd.img
ks=http://home.englab.nay.redhat.com/~nzhang/http/ks-rhel6-x86_64.cfg

PROMPT 1
TIMEOUT 10

4) start to install guest
# virsh start guestname

Actual results:
TFTP cannot access /var/lib/tftpboot/pxelinux.0: Permission denied

Expected results:
support pxe installation with selinux enable

Additional info:
The dnsmasq process is labeled by dnsmasq_t, however, /var/lib/tftpboot is
labeled by tftpdir_rw_t, so dnsmasq hasn't permission to access pxelinux.0
file under the /var/lib/tftpboot.

I can resolve the issue if setup a dnsmasq r/w permission label to
/var/lib/tftpboot/pxelinux.0, for example, recursively relabel
/var/lib/tftpboot from tftpdir_rw_t to dnsmasq_var_run_t, it will be okay for
guest pxe installation
with selinux enable.

# ps -ef | grep dnsmasq | grep -v grep
nobody    2070     1  0 Feb18 ?        00:00:04 /usr/sbin/dnsmasq
--strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file=  --listen-address
192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254
--dhcp-lease-max=253 --dhcp-no-override
nobody   23456     1  0 15:44 ?        00:00:00 /usr/sbin/dnsmasq
--strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/tftpbr1.pid --conf-file=  --listen-address
192.168.100.1 --except-interface lo --dhcp-range 192.168.100.2,192.168.100.254
--dhcp-lease-max=253 --dhcp-no-override --enable-tftp --tftp-root
/var/lib/tftpboot --dhcp-boot pxelinux.0

# ps -eZ |grep dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2070 ? 00:00:04 dnsmasq
unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 23456 ? 00:00:00 dnsmasq

# ll -Z /var/lib/tftpboot/
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0
drwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg
-rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz

# cat /var/log/messages
......
Mar  9 16:28:45 dhcp-65-1 kernel: type=1400 audit(1299659325.744:32411): avc: 
denied  { search } for  pid=23456 comm="dnsmasq" name="tftpboot" dev=sda8
ino=2146394 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=dir
Mar  9 16:28:45 dhcp-65-1 dnsmasq-tftp[23456]: TFTP cannot access
/var/lib/tftpboot/pxelinux.0: Permission denied
......

--- Additional comment from ajia on 2011-03-09 05:03:55 EST ---

Created attachment 483143 [details]
pxe_installation_permission_denied picture

--- Additional comment from dwalsh on 2011-03-18 10:03:59 EDT ---

Please test with the 6.1 policy  selinux-policy-3.7.19-79.el6

This is allowed in that policy.

--- Additional comment from mgrepl on 2011-03-18 10:23:56 EDT ---

Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq.

--- Additional comment from ajia on 2011-03-21 22:35:40 EDT ---

The bug has been verified on rhel6.1(2.6.32-120.el6.x86_64) with selinux-policy-3.7.19-79.el6.noarch, I can successfully install libvirt guest by pxe method with selinux enable, so set bug status to VERIFIED.


# rpm -qa | grep tftp
tftp-0.49-5.1.el6.x86_64
tftp-server-0.49-5.1.el6.x86_64

# ps -eZ | grep dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2068 ? 00:00:00 dnsmasq
system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 6074 ? 00:00:00 dnsmasq

# ll -Z /var/lib/tftpboot/
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0
drwxr-xr-x. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg
-rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz

--- Additional comment from ajia on 2011-03-23 22:37:36 EDT ---

(In reply to comment #3)
> Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq.

Hi Daniel and Miroslav,
when I default install tftp-server package on local machine, /var/lib/tfpboot is 
owned by root with system_u:object_r:var_lib_t:s0 label, I need to manually recursively change label type from var_lib_t to tftpdir_rw_t, otherwise, I still will met permission denied issue, is this a expected result?

Alex

--- Additional comment from dwalsh on 2011-03-24 14:28:16 EDT ---

What does 
matchpathcon /var/lib/tftpboot/ 

say?

If you run 
restorecon -R -v /var/lib/tftpboot 
does it fix the label?

What does 

rpm -qf /var/lib/tftpboot

--- Additional comment from ajia on 2011-03-24 23:00:37 EDT ---

(In reply to comment #6)
> What does 
> matchpathcon /var/lib/tftpboot/ 
> 
> say?
# matchpathcon /var/lib/tftpboot/ 
/var/lib/tftpboot	system_u:object_r:tftpdir_rw_t:s0

# ll -Z /var/lib/tftpboot/
-rw-rw-rw-. root root system_u:object_r:var_lib_t:s0   initrd.img
-rw-r--r--. root root system_u:object_r:var_lib_t:s0   pxelinux.0
drwxrwxrwx. root root system_u:object_r:var_lib_t:s0   pxelinux.cfg
-rw-rw-rw-. root root system_u:object_r:var_lib_t:s0   vmlinuz
> 
> If you run 
> restorecon -R -v /var/lib/tftpboot 
> does it fix the label?

# restorecon -R -v /var/lib/tftpboot
restorecon reset /var/lib/tftpboot/initrd.img context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/vmlinuz context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.cfg context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.cfg/default context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
restorecon reset /var/lib/tftpboot/pxelinux.0 context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0
> 
> What does 
> 
> rpm -qf /var/lib/tftpboot

# rpm -qf /var/lib/tftpboot
tftp-server-0.49-5.1.el6.x86_64


And I can successfully install libvirt guest os by pxe method after running restorecon -R -v /var/lib/tftpboot, so Must I manually do this action before installing guest os? 

BTW, I renew installed tftp and tftp-server package, and I haven't changed any label for /var/lib/tftpboot directory, so I can make sure environment is clean.


Thanks,
Alex

--- Additional comment from dwalsh on 2011-03-25 07:59:57 EDT ---

If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server
rpm should create the directory with the correct context.  I am not sure how you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir /var/lib/tftpboot, which would cause it to be mislabeled.

You should not need to run restorecon unless you created the directory by hand.

--- Additional comment from ajia on 2011-03-25 10:25:47 EDT ---

(In reply to comment #8)
> If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server
> rpm should create the directory with the correct context.  I am not sure how
> you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir
> /var/lib/tftpboot, which would cause it to be mislabeled.
> 
> You should not need to run restorecon unless you created the directory by hand.

Hi Daniel,
Thanks for you comment, I am using a automate test script to run pxe installation,
as you said, the script is using mkdir to create /var/lib/tftpboot again(in fact, the directory has existed by installing tftp-server package), so it should be a root reason of the issue. I will check it again.

Alex

--- Additional comment from dwalsh on 2011-03-25 12:16:59 EDT ---

Just add restorecon to the test script after you create it and everything should work fine.


SELinux is preventing dnsmasq (dnsmasq_t) "search" to ./tftpboot (tftpdir_rw_t).

Additional Information:

Source Context                system_u:system_r:dnsmasq_t:SystemLow-SystemHigh
Target Context                system_u:object_r:tftpdir_rw_t
Target Objects                ./tftpboot [ dir ]
Source                        dnsmasq
Source Path                   /usr/sbin/dnsmasq
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           dnsmasq-2.45-1.1.el5_3
Target RPM Packages           tftp-server-0.49-2
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-254.el5 #1 SMP
                              Thu Mar 31 00:02:05 EDT 2011 x86_64 x86_64
Alert Count                   460
First Seen                    Fri 01 Apr 2011 02:45:12 PM CST
Last Seen                     Fri 01 Apr 2011 05:30:13 PM CST
Local ID                      8e7465b3-6dba-4ba0-9f95-8e62542612d6
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1301650213.616:51): avc:  denied  { search } for  pid=4452 comm="dnsmasq" name="tftpboot" dev=sda1 ino=2097268 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1301650213.616:51): arch=c000003e syscall=2 success=no exit=-13 a0=18fff010 a1=0 a2=0 a3=0 items=0 ppid=1 pid=4452 auid=4294967295 uid=99 gid=40 euid=99 suid=99 fsuid=99 egid=40 sgid=40 fsgid=40 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)



# rpm -q selinux-policy
selinux-policy-2.4.6-300.el5

# uname -r
2.6.18-254.el5

# rpm -q libvirt
libvirt-0.8.2-16.el5

Comment 1 Miroslav Grepl 2011-04-05 14:37:55 UTC

Fixed in selinux-policy-2.4.6-304.el5

Comment 2 Alex Jia 2011-04-06 05:36:03 UTC

The bug has been verified on rhel5.6(2.6.18-254.el5) with selinux-policy-2.4.6-304.el5. and I can successfully pxe install a libvirt qemu guest.

Comment 3 errata-xmlrpc 2011-07-21 09:18:58 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Comment 4 errata-xmlrpc 2011-07-21 11:56:15 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.