selinux enforcing mode preventing download of file
Hi all
I am trying to set up a PXE server. When i try to boot using a boot CD it see's the PXE server fine, but i get the below error Code:
booting from filename "pxelinux.0" Thanks |
First thing first,
permissive mode of SELinux, it means just SELinux logs messages instead of denials. enforcing mode means that SELinux denials actions and logs messages. Permissive mode is a good thing to prepare all policies from auditlog. Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log). |
Quote:
I have this message in /var/log/messages Code:
kernel: type=1400 audit(1327440002.687:45): avc: denied { relabelto } for pid=3872 comm="chcon" name="pxelinux.0" dev=sda2 ino=16207 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_t:s0 tclass=file |
What kind of policy do you use? targeted, mls, mcs, other?
Better to see 'sealert' or 'sealert -l /var/log/audit/audit.log' :-) |
Quote:
|
tried again and monitored /var/log/messages
Code:
kernel: type=1400 audit(1327442430.112:52): avc: denied { read } for pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file |
Look for /var/log/audit/audit.log
|
Quote:
Code:
type=AVC msg=audit(1327443555.129:75): avc: denied { read } for pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file |
It seams pxelinux.0 file has a wrong SELinux context
as well as it says 'sealert -a /var/log/audit/audit.log' it offers two possibilities how to solve: SELinux is preventing dnsmasq from read access on the file pxelinux.0. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow dnsmasq to have read access on the pxelinux.0 file Then you need to change the label on pxelinux.0 Do # semanage fcontext -a -t FILE_TYPE 'pxelinux.0' where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t. Then execute: restorecon -v 'pxelinux.0' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp |
Quote:
Hi again Really really appriciate all the help your giving me. First question, where did you find the list of all those fcontext or are they called labels? I did "semanage fcontext -a -t tftpdir_rw_t" on all files in my tftpboot/ directory and the pxe process booted up fine. |
All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)
|
Quote:
I had to create a new pxe server from scratch and this time i just did restorecon -v "filename" on all of the below Code:
[root@RHEL6 tftpboot]# ls -rltZ |
semanage set system to know the path of your 'tftpboot' (or any directory that you label by semange) to type tftpdir_t
the common way is to use a regular expression (such as /tftboot/.* tftpdir_t) so any new file or directory in /tftboot will ever be tftpdir_t selinux context type, of course until you change it by semanage While the first use of semanage, it just set a rule to know the system about selinux context even it does NOT change the current context of those file! You has to use 'restorecon' to restore default context that you've set by semange. If you want to change context despite semanage default rules, use 'chcon' command (CLI), see 'man chcon'. I guess this explanation is sufficient for beginning enough. |
All times are GMT -5. The time now is 05:17 PM. |