LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-24-2012, 03:06 PM   #1
ginda
Member
 
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323

Rep: Reputation: 31
selinux enforcing mode preventing download of file


Hi all

I am trying to set up a PXE server. When i try to boot using a boot CD it see's the PXE server fine, but i get the below error

Code:
booting from filename "pxelinux.0"
tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)
could not load tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)
When i set SELINUX to permissive it works fine? Any ideas anyone, any help will really be appreciated.

Thanks
 
Old 01-24-2012, 03:33 PM   #2
MartinStrec
Member
 
Registered: Jan 2012
Location: Czech
Distribution: Fedora, RHEL, Ubuntu, Mint
Posts: 110

Rep: Reputation: 13
First thing first,

permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.

Permissive mode is a good thing to prepare all policies from auditlog.

Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).
 
Old 01-24-2012, 03:41 PM   #3
ginda
Member
 
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by MartinStrec View Post
First thing first,

permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.

Permissive mode is a good thing to prepare all policies from auditlog.

Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).


I have this message in /var/log/messages

Code:
kernel: type=1400 audit(1327440002.687:45): avc:  denied  { relabelto } for  pid=3872 comm="chcon" name="pxelinux.0" dev=sda2 ino=16207 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_t:s0 tclass=file
 
Old 01-24-2012, 03:47 PM   #4
MartinStrec
Member
 
Registered: Jan 2012
Location: Czech
Distribution: Fedora, RHEL, Ubuntu, Mint
Posts: 110

Rep: Reputation: 13
What kind of policy do you use? targeted, mls, mcs, other?

Better to see 'sealert' or 'sealert -l /var/log/audit/audit.log'
:-)
 
Old 01-24-2012, 03:58 PM   #5
ginda
Member
 
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by MartinStrec View Post
What kind of policy do you use? targeted, mls, mcs, other?

Better to see 'sealert' or 'sealert -l /var/log/audit/audit.log'
:-)
Im using targeted
 
Old 01-24-2012, 04:02 PM   #6
ginda
Member
 
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323

Original Poster
Rep: Reputation: 31
tried again and monitored /var/log/messages

Code:
kernel: type=1400 audit(1327442430.112:52): avc:  denied  { read } for  pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
 
Old 01-24-2012, 04:03 PM   #7
MartinStrec
Member
 
Registered: Jan 2012
Location: Czech
Distribution: Fedora, RHEL, Ubuntu, Mint
Posts: 110

Rep: Reputation: 13
Look for /var/log/audit/audit.log
 
Old 01-24-2012, 04:20 PM   #8
ginda
Member
 
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by MartinStrec View Post
Look for /var/log/audit/audit.log
I started auditd and monitored audit.log, looks similiar to what was coming in messages log file

Code:
type=AVC msg=audit(1327443555.129:75): avc:  denied  { read } for  pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
really appriciate all your help
 
Old 01-24-2012, 04:27 PM   #9
MartinStrec
Member
 
Registered: Jan 2012
Location: Czech
Distribution: Fedora, RHEL, Ubuntu, Mint
Posts: 110

Rep: Reputation: 13
It seams pxelinux.0 file has a wrong SELinux context

as well as it says 'sealert -a /var/log/audit/audit.log'
it offers two possibilities how to solve:

SELinux is preventing dnsmasq from read access on the file pxelinux.0.

***** Plugin catchall_labels (83.8 confidence) suggests ********************

If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'


***** Plugin catchall (17.1 confidence) suggests ***************************

If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
 
Old 01-25-2012, 07:27 AM   #10
ginda
Member
 
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by MartinStrec View Post
It seams pxelinux.0 file has a wrong SELinux context

as well as it says 'sealert -a /var/log/audit/audit.log'
it offers two possibilities how to solve:

SELinux is preventing dnsmasq from read access on the file pxelinux.0.

***** Plugin catchall_labels (83.8 confidence) suggests ********************

If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'


***** Plugin catchall (17.1 confidence) suggests ***************************

If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp


Hi again

Really really appriciate all the help your giving me.

First question, where did you find the list of all those fcontext or are they called labels?

I did "semanage fcontext -a -t tftpdir_rw_t" on all files in my tftpboot/ directory and the pxe process booted up fine.
 
Old 01-25-2012, 09:50 AM   #11
MartinStrec
Member
 
Registered: Jan 2012
Location: Czech
Distribution: Fedora, RHEL, Ubuntu, Mint
Posts: 110

Rep: Reputation: 13
All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)
 
Old 01-25-2012, 02:29 PM   #12
ginda
Member
 
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by MartinStrec View Post
All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)
Hi again

I had to create a new pxe server from scratch and this time i just did restorecon -v "filename" on all of the below

Code:
[root@RHEL6 tftpboot]# ls -rltZ
-rw-r--r--. root root system_u:object_r:tftpdir_t:s0   menu.c32
-rw-r--r--. root root system_u:object_r:tftpdir_t:s0   pxelinux.0
drwxr-xr-x. root root system_u:object_r:tftpdir_t:s0   images
drwxr-xr-x. root root system_u:object_r:tftpdir_t:s0   pxelinux.cfg
and it automatically set it to tftpdir_t from default_t how was this possible without doing the semanage part you showed me earlier?
 
Old 01-25-2012, 03:01 PM   #13
MartinStrec
Member
 
Registered: Jan 2012
Location: Czech
Distribution: Fedora, RHEL, Ubuntu, Mint
Posts: 110

Rep: Reputation: 13
semanage set system to know the path of your 'tftpboot' (or any directory that you label by semange) to type tftpdir_t

the common way is to use a regular expression (such as /tftboot/.* tftpdir_t)
so any new file or directory in /tftboot will ever be tftpdir_t selinux context type, of course until you change it by semanage

While the first use of semanage, it just set a rule to know the system about selinux context even it does NOT change the current context of those file!
You has to use 'restorecon' to restore default context that you've set by semange.

If you want to change context despite semanage default rules, use 'chcon' command (CLI), see 'man chcon'.

I guess this explanation is sufficient for beginning enough.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nagios - SELINUX [enforcing mode ] fritz001 Linux - Networking 6 01-12-2012 04:38 PM
Mysqld won't start with Selinux enforcing turned on jdnow09 Linux - General 3 06-24-2009 01:37 PM
create linux group & user when SELinux enforcing kirukan Linux - Security 5 05-05-2009 02:44 PM
How to execute a Perl script in ~/.procmailrc with SELinux set to Enforcing? thomasz Linux - Security 1 03-14-2008 05:25 AM
Apache/PHP problems with Selinux enforcing.... maxie_fc3 Fedora 0 01-11-2005 07:40 AM


All times are GMT -5. The time now is 06:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration