+++ This bug was initially created as a clone of Bug #683377 +++ Description of problem: SELinux prevents dnsmasq to access /var/lib/tftpboot/pxelinux.0 when enable selinux and execute linux guest pxe installation. Version-Release number of selected component (if applicable): # uname -r 2.6.32-113.el6.x86_64 # rpm -q libvirt libvirt-0.8.7-10.el6.x86_64 # rpm -q dnsmasq dnsmasq-2.48-4.el6.x86_64 # rpm -q selinux-policy selinux-policy-3.7.19-54.el6.noarch # rpm -qa|grep tftp tftp-0.49-5.1.el6.x86_64 tftp-server-0.49-5.1.el6.x86_64 How reproducible: always (enable selinux) Steps to Reproduce: 1. yum install tftp tftp-server 2. setup a dhcp server 3. setup a tftp server 4. start to install 1) create a tftpbr1 bridge and active it # virsh net-list Name State Autostart ----------------------------------------- default active yes tftpbr1 active no # virsh net-dumpxml tftpbr1 <network> <name>tftpbr1</name> <uuid>201c7283-ab7e-dc51-d71d-115fc72b5485</uuid> <forward mode='nat'/> <bridge name='br1' stp='off' delay='1' /> <mac address='52:54:00:0C:E4:25'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <tftp root='/var/lib/tftpboot' /> <dhcp> <range start='192.168.100.2' end='192.168.100.254' /> <bootp file='pxelinux.0' /> </dhcp> </ip> </network> 2) let guest point to the tftpbr1 # virsh dumpxml vr-rhel6-x86_64-kvm <domain type='kvm'> <name>vr-rhel6-x86_64-kvm</name> ...... <os> <type arch='x86_64' machine='rhel6.1.0'>hvm</type> <boot dev='network'/> </os> ...... <interface type='network'> <mac address='52:54:00:d1:ea:3a'/> <source network='tftpbr1'/> <model type='rtl8139'/> </interface> ...... 3) setup a tftp server # wget -P /var/lib/tftpboot http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/vmlinuz # wget -P /var/lib/tftpboot http://download.englab.nay.redhat.com/pub/rhel/released/RHEL-6/6.0/Server/x86_64/os/images/pxeboot/initrd.img # cat /var/lib/tftpboot/pxelinux.cfg/default DISPLAY boot.txt DEFAULT vr-rhel6-x86_64-kvm LABEL vr-rhel6-x86_64-kvm kernel vmlinuz append initrd=initrd.img ks=http://home.englab.nay.redhat.com/~nzhang/http/ks-rhel6-x86_64.cfg PROMPT 1 TIMEOUT 10 4) start to install guest # virsh start guestname Actual results: TFTP cannot access /var/lib/tftpboot/pxelinux.0: Permission denied Expected results: support pxe installation with selinux enable Additional info: The dnsmasq process is labeled by dnsmasq_t, however, /var/lib/tftpboot is labeled by tftpdir_rw_t, so dnsmasq hasn't permission to access pxelinux.0 file under the /var/lib/tftpboot. I can resolve the issue if setup a dnsmasq r/w permission label to /var/lib/tftpboot/pxelinux.0, for example, recursively relabel /var/lib/tftpboot from tftpdir_rw_t to dnsmasq_var_run_t, it will be okay for guest pxe installation with selinux enable. # ps -ef | grep dnsmasq | grep -v grep nobody 2070 1 0 Feb18 ? 00:00:04 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file= --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-lease-max=253 --dhcp-no-override nobody 23456 1 0 15:44 ? 00:00:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/tftpbr1.pid --conf-file= --listen-address 192.168.100.1 --except-interface lo --dhcp-range 192.168.100.2,192.168.100.254 --dhcp-lease-max=253 --dhcp-no-override --enable-tftp --tftp-root /var/lib/tftpboot --dhcp-boot pxelinux.0 # ps -eZ |grep dnsmasq system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2070 ? 00:00:04 dnsmasq unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 23456 ? 00:00:00 dnsmasq # ll -Z /var/lib/tftpboot/ -rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img -rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0 drwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg -rwxrwxrwx. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz # cat /var/log/messages ...... Mar 9 16:28:45 dhcp-65-1 kernel: type=1400 audit(1299659325.744:32411): avc: denied { search } for pid=23456 comm="dnsmasq" name="tftpboot" dev=sda8 ino=2146394 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tftpdir_rw_t:s0 tclass=dir Mar 9 16:28:45 dhcp-65-1 dnsmasq-tftp[23456]: TFTP cannot access /var/lib/tftpboot/pxelinux.0: Permission denied ...... --- Additional comment from ajia on 2011-03-09 05:03:55 EST --- Created attachment 483143 [details] pxe_installation_permission_denied picture --- Additional comment from dwalsh on 2011-03-18 10:03:59 EDT --- Please test with the 6.1 policy selinux-policy-3.7.19-79.el6 This is allowed in that policy. --- Additional comment from mgrepl on 2011-03-18 10:23:56 EDT --- Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq. --- Additional comment from ajia on 2011-03-21 22:35:40 EDT --- The bug has been verified on rhel6.1(2.6.32-120.el6.x86_64) with selinux-policy-3.7.19-79.el6.noarch, I can successfully install libvirt guest by pxe method with selinux enable, so set bug status to VERIFIED. # rpm -qa | grep tftp tftp-0.49-5.1.el6.x86_64 tftp-server-0.49-5.1.el6.x86_64 # ps -eZ | grep dnsmasq system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 2068 ? 00:00:00 dnsmasq system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 6074 ? 00:00:00 dnsmasq # ll -Z /var/lib/tftpboot/ -rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 initrd.img -rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.0 drwxr-xr-x. root root unconfined_u:object_r:tftpdir_rw_t:s0 pxelinux.cfg -rw-r--r--. root root unconfined_u:object_r:tftpdir_rw_t:s0 vmlinuz --- Additional comment from ajia on 2011-03-23 22:37:36 EDT --- (In reply to comment #3) > Yes, the latest RHEL6 policy has a lot of fixes for cobbler/tftp/dnsmasq. Hi Daniel and Miroslav, when I default install tftp-server package on local machine, /var/lib/tfpboot is owned by root with system_u:object_r:var_lib_t:s0 label, I need to manually recursively change label type from var_lib_t to tftpdir_rw_t, otherwise, I still will met permission denied issue, is this a expected result? Alex --- Additional comment from dwalsh on 2011-03-24 14:28:16 EDT --- What does matchpathcon /var/lib/tftpboot/ say? If you run restorecon -R -v /var/lib/tftpboot does it fix the label? What does rpm -qf /var/lib/tftpboot --- Additional comment from ajia on 2011-03-24 23:00:37 EDT --- (In reply to comment #6) > What does > matchpathcon /var/lib/tftpboot/ > > say? # matchpathcon /var/lib/tftpboot/ /var/lib/tftpboot system_u:object_r:tftpdir_rw_t:s0 # ll -Z /var/lib/tftpboot/ -rw-rw-rw-. root root system_u:object_r:var_lib_t:s0 initrd.img -rw-r--r--. root root system_u:object_r:var_lib_t:s0 pxelinux.0 drwxrwxrwx. root root system_u:object_r:var_lib_t:s0 pxelinux.cfg -rw-rw-rw-. root root system_u:object_r:var_lib_t:s0 vmlinuz > > If you run > restorecon -R -v /var/lib/tftpboot > does it fix the label? # restorecon -R -v /var/lib/tftpboot restorecon reset /var/lib/tftpboot/initrd.img context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/vmlinuz context system_u:object_r:var_lib_t:s0->system_u:object_r:tftpdir_rw_t:s0 restorecon reset /var/lib/tftpboot/pxelinux.cfg context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0 restorecon reset /var/lib/tftpboot/pxelinux.cfg/default context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0 restorecon reset /var/lib/tftpboot/pxelinux.0 context system_u:object_r:var_lib_t:s0->system_u:object_r:cobbler_var_lib_t:s0 > > What does > > rpm -qf /var/lib/tftpboot # rpm -qf /var/lib/tftpboot tftp-server-0.49-5.1.el6.x86_64 And I can successfully install libvirt guest os by pxe method after running restorecon -R -v /var/lib/tftpboot, so Must I manually do this action before installing guest os? BTW, I renew installed tftp and tftp-server package, and I haven't changed any label for /var/lib/tftpboot directory, so I can make sure environment is clean. Thanks, Alex --- Additional comment from dwalsh on 2011-03-25 07:59:57 EDT --- If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server rpm should create the directory with the correct context. I am not sure how you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir /var/lib/tftpboot, which would cause it to be mislabeled. You should not need to run restorecon unless you created the directory by hand. --- Additional comment from ajia on 2011-03-25 10:25:47 EDT --- (In reply to comment #8) > If you remove the /var/lib/tftpboot directory and yum reinstall tftp-server > rpm should create the directory with the correct context. I am not sure how > you got this mislabeled unless you did a rm -rf /var/lib/tftpboot and a mkdir > /var/lib/tftpboot, which would cause it to be mislabeled. > > You should not need to run restorecon unless you created the directory by hand. Hi Daniel, Thanks for you comment, I am using a automate test script to run pxe installation, as you said, the script is using mkdir to create /var/lib/tftpboot again(in fact, the directory has existed by installing tftp-server package), so it should be a root reason of the issue. I will check it again. Alex --- Additional comment from dwalsh on 2011-03-25 12:16:59 EDT --- Just add restorecon to the test script after you create it and everything should work fine. SELinux is preventing dnsmasq (dnsmasq_t) "search" to ./tftpboot (tftpdir_rw_t). Additional Information: Source Context system_u:system_r:dnsmasq_t:SystemLow-SystemHigh Target Context system_u:object_r:tftpdir_rw_t Target Objects ./tftpboot [ dir ] Source dnsmasq Source Path /usr/sbin/dnsmasq Port <Unknown> Host localhost.localdomain Source RPM Packages dnsmasq-2.45-1.1.el5_3 Target RPM Packages tftp-server-0.49-2 Policy RPM selinux-policy-2.4.6-300.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-254.el5 #1 SMP Thu Mar 31 00:02:05 EDT 2011 x86_64 x86_64 Alert Count 460 First Seen Fri 01 Apr 2011 02:45:12 PM CST Last Seen Fri 01 Apr 2011 05:30:13 PM CST Local ID 8e7465b3-6dba-4ba0-9f95-8e62542612d6 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1301650213.616:51): avc: denied { search } for pid=4452 comm="dnsmasq" name="tftpboot" dev=sda1 ino=2097268 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1301650213.616:51): arch=c000003e syscall=2 success=no exit=-13 a0=18fff010 a1=0 a2=0 a3=0 items=0 ppid=1 pid=4452 auid=4294967295 uid=99 gid=40 euid=99 suid=99 fsuid=99 egid=40 sgid=40 fsgid=40 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null) # rpm -q selinux-policy selinux-policy-2.4.6-300.el5 # uname -r 2.6.18-254.el5 # rpm -q libvirt libvirt-0.8.2-16.el5
Fixed in selinux-policy-2.4.6-304.el5
The bug has been verified on rhel5.6(2.6.18-254.el5) with selinux-policy-2.4.6-304.el5. and I can successfully pxe install a libvirt qemu guest.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html