selinux enforcing mode preventing download of file

ginda · 01-24-2012, 03:06 PM

Hi all

I am trying to set up a PXE server. When i try to boot using a boot CD it see's the PXE server fine, but i get the below error

Code:

booting from filename "pxelinux.0"
tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)
could not load tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)

When i set SELINUX to permissive it works fine? Any ideas anyone, any help will really be appreciated.

Thanks

MartinStrec · 01-24-2012, 03:33 PM

First thing first,

permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.

Permissive mode is a good thing to prepare all policies from auditlog.

Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).

ginda · 01-24-2012, 03:41 PM

Quote:

Originally Posted by MartinStrec

First thing first,

permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.

Permissive mode is a good thing to prepare all policies from auditlog.

Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).

I have this message in /var/log/messages

Code:

kernel: type=1400 audit(1327440002.687:45): avc:  denied  { relabelto } for  pid=3872 comm="chcon" name="pxelinux.0" dev=sda2 ino=16207 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_t:s0 tclass=file

MartinStrec · 01-24-2012, 03:47 PM

What kind of policy do you use? targeted, mls, mcs, other?

Better to see 'sealert' or 'sealert -l /var/log/audit/audit.log'
:-)

ginda · 01-24-2012, 03:58 PM

Quote:

Originally Posted by MartinStrec

What kind of policy do you use? targeted, mls, mcs, other?

Better to see 'sealert' or 'sealert -l /var/log/audit/audit.log'
:-)

Im using targeted

ginda · 01-24-2012, 04:02 PM

tried again and monitored /var/log/messages

Code:

kernel: type=1400 audit(1327442430.112:52): avc:  denied  { read } for  pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file

MartinStrec · 01-24-2012, 04:03 PM

Look for /var/log/audit/audit.log

ginda · 01-24-2012, 04:20 PM

Quote:

Originally Posted by MartinStrec

Look for /var/log/audit/audit.log

I started auditd and monitored audit.log, looks similiar to what was coming in messages log file

Code:

type=AVC msg=audit(1327443555.129:75): avc:  denied  { read } for  pid=2729 comm="dnsmasq" name="pxelinux.0" dev=sda2 ino=16317 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file

really appriciate all your help

MartinStrec · 01-24-2012, 04:27 PM

It seams pxelinux.0 file has a wrong SELinux context

as well as it says 'sealert -a /var/log/audit/audit.log'
it offers two possibilities how to solve:

SELinux is preventing dnsmasq from read access on the file pxelinux.0.

***** Plugin catchall_labels (83.8 confidence) suggests ********************

If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'

***** Plugin catchall (17.1 confidence) suggests ***************************

If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

ginda · 01-25-2012, 07:27 AM

Quote:

Originally Posted by MartinStrec

It seams pxelinux.0 file has a wrong SELinux context

as well as it says 'sealert -a /var/log/audit/audit.log'
it offers two possibilities how to solve:

SELinux is preventing dnsmasq from read access on the file pxelinux.0.

***** Plugin catchall_labels (83.8 confidence) suggests ********************

If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'

***** Plugin catchall (17.1 confidence) suggests ***************************

If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

Hi again

Really really appriciate all the help your giving me.

First question, where did you find the list of all those fcontext or are they called labels?

I did "semanage fcontext -a -t tftpdir_rw_t" on all files in my tftpboot/ directory and the pxe process booted up fine.

MartinStrec · 01-25-2012, 09:50 AM

All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)

ginda · 01-25-2012, 02:29 PM

Quote:

Originally Posted by MartinStrec

All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)

Hi again

I had to create a new pxe server from scratch and this time i just did restorecon -v "filename" on all of the below

Code:

[root@RHEL6 tftpboot]# ls -rltZ
-rw-r--r--. root root system_u:object_r:tftpdir_t:s0   menu.c32
-rw-r--r--. root root system_u:object_r:tftpdir_t:s0   pxelinux.0
drwxr-xr-x. root root system_u:object_r:tftpdir_t:s0   images
drwxr-xr-x. root root system_u:object_r:tftpdir_t:s0   pxelinux.cfg

and it automatically set it to tftpdir_t from default_t how was this possible without doing the semanage part you showed me earlier?

MartinStrec · 01-25-2012, 03:01 PM

semanage set system to know the path of your 'tftpboot' (or any directory that you label by semange) to type tftpdir_t

the common way is to use a regular expression (such as /tftboot/.* tftpdir_t)
so any new file or directory in /tftboot will ever be tftpdir_t selinux context type, of course until you change it by semanage

While the first use of semanage, it just set a rule to know the system about selinux context even it does NOT change the current context of those file!
You has to use 'restorecon' to restore default context that you've set by semange.

If you want to change context despite semanage default rules, use 'chcon' command (CLI), see 'man chcon'.

I guess this explanation is sufficient for beginning enough.