LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   selinux enforcing mode preventing download of file (https://www.linuxquestions.org/questions/linux-server-73/selinux-enforcing-mode-preventing-download-of-file-925513/)

ginda 01-24-2012 03:06 PM

selinux enforcing mode preventing download of file
 
Hi all

I am trying to set up a PXE server. When i try to boot using a boot CD it see's the PXE server fine, but i get the below error

Code:

booting from filename "pxelinux.0"
tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)
could not load tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)

When i set SELINUX to permissive it works fine? Any ideas anyone, any help will really be appreciated.

Thanks

MartinStrec 01-24-2012 03:33 PM

First thing first,

permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.

Permissive mode is a good thing to prepare all policies from auditlog.

Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).

ginda 01-24-2012 03:41 PM

Quote:

Originally Posted by MartinStrec (Post 4583457)
First thing first,

permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.

Permissive mode is a good thing to prepare all policies from auditlog.

Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).



I have this message in /var/log/messages

Code:

kernel: type=1400 audit(1327440002.687:45): avc:  denied  { relabelto } for  pid=3872 comm="chcon" name="pxelinux.0" dev=sda2 ino=16207 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_t:s0 tclass=file

MartinStrec 01-24-2012 03:47 PM

What kind of policy do you use? targeted, mls, mcs, other?

Better to see 'sealert' or 'sealert -l /var/log/audit/audit.log'
:-)

ginda 01-24-2012 03:58 PM

Quote:

Originally Posted by MartinStrec (Post 4583470)
What kind of policy do you use? targeted, mls, mcs, other?

Better to see 'sealert' or 'sealert -l /var/log/audit/audit.log'
:-)

Im using targeted

ginda 01-24-2012 04:02 PM

tried again and monitored /var/log/messages

Code:

kernel: type=1400 audit(1327442430.112:52): avc:  denied  { read } for  pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file

MartinStrec 01-24-2012 04:03 PM

Look for /var/log/audit/audit.log

ginda 01-24-2012 04:20 PM

Quote:

Originally Posted by MartinStrec (Post 4583478)
Look for /var/log/audit/audit.log

I started auditd and monitored audit.log, looks similiar to what was coming in messages log file

Code:

type=AVC msg=audit(1327443555.129:75): avc:  denied  { read } for  pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
really appriciate all your help

MartinStrec 01-24-2012 04:27 PM

It seams pxelinux.0 file has a wrong SELinux context

as well as it says 'sealert -a /var/log/audit/audit.log'
it offers two possibilities how to solve:

SELinux is preventing dnsmasq from read access on the file pxelinux.0.

***** Plugin catchall_labels (83.8 confidence) suggests ********************

If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'


***** Plugin catchall (17.1 confidence) suggests ***************************

If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

ginda 01-25-2012 07:27 AM

Quote:

Originally Posted by MartinStrec (Post 4583494)
It seams pxelinux.0 file has a wrong SELinux context

as well as it says 'sealert -a /var/log/audit/audit.log'
it offers two possibilities how to solve:

SELinux is preventing dnsmasq from read access on the file pxelinux.0.

***** Plugin catchall_labels (83.8 confidence) suggests ********************

If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'


***** Plugin catchall (17.1 confidence) suggests ***************************

If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp



Hi again

Really really appriciate all the help your giving me.

First question, where did you find the list of all those fcontext or are they called labels?

I did "semanage fcontext -a -t tftpdir_rw_t" on all files in my tftpboot/ directory and the pxe process booted up fine.

MartinStrec 01-25-2012 09:50 AM

All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)

ginda 01-25-2012 02:29 PM

Quote:

Originally Posted by MartinStrec (Post 4584124)
All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)

Hi again

I had to create a new pxe server from scratch and this time i just did restorecon -v "filename" on all of the below

Code:

[root@RHEL6 tftpboot]# ls -rltZ
-rw-r--r--. root root system_u:object_r:tftpdir_t:s0  menu.c32
-rw-r--r--. root root system_u:object_r:tftpdir_t:s0  pxelinux.0
drwxr-xr-x. root root system_u:object_r:tftpdir_t:s0  images
drwxr-xr-x. root root system_u:object_r:tftpdir_t:s0  pxelinux.cfg

and it automatically set it to tftpdir_t from default_t how was this possible without doing the semanage part you showed me earlier?

MartinStrec 01-25-2012 03:01 PM

semanage set system to know the path of your 'tftpboot' (or any directory that you label by semange) to type tftpdir_t

the common way is to use a regular expression (such as /tftboot/.* tftpdir_t)
so any new file or directory in /tftboot will ever be tftpdir_t selinux context type, of course until you change it by semanage

While the first use of semanage, it just set a rule to know the system about selinux context even it does NOT change the current context of those file!
You has to use 'restorecon' to restore default context that you've set by semange.

If you want to change context despite semanage default rules, use 'chcon' command (CLI), see 'man chcon'.

I guess this explanation is sufficient for beginning enough.


All times are GMT -5. The time now is 05:17 PM.