selinux enforcing mode preventing download of file
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
selinux enforcing mode preventing download of file
Hi all
I am trying to set up a PXE server. When i try to boot using a boot CD it see's the PXE server fine, but i get the below error
Code:
booting from filename "pxelinux.0"
tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)
could not load tftp://192.168.1.10/pxelinux.0. permission denied (0x0212603c)
When i set SELINUX to permissive it works fine? Any ideas anyone, any help will really be appreciated.
permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.
Permissive mode is a good thing to prepare all policies from auditlog.
Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).
permissive mode of SELinux, it means just SELinux logs messages instead of denials.
enforcing mode means that SELinux denials actions and logs messages.
Permissive mode is a good thing to prepare all policies from auditlog.
Run your system with SELinux in permissive mode and use 'sealert' tool to see what was wrong. After that set on/off SELinux boolean values or build own policies. sealert tool offers common solutions to disable denials that are detected by setroublehootd (in log).
If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'
If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
If you want to allow dnsmasq to have read access on the pxelinux.0 file
Then you need to change the label on pxelinux.0
Do
# semanage fcontext -a -t FILE_TYPE 'pxelinux.0'
where FILE_TYPE is one of the following: virt_var_lib_t, virt_var_run_t, dnsmasq_var_run_t, system_dbusd_var_lib_t, ld_so_cache_t, cert_t, cobbler_var_lib_t, dnsmasq_var_log_t, sssd_public_t, locale_t, etc_t, proc_t, sysfs_t, tftpdir_rw_t, krb5_conf_t, abrt_var_run_t, udev_tbl_t, fail2ban_var_lib_t, dnsmasq_exec_t, dnsmasq_lease_t, sysctl_crypto_t, tftpdir_t, dbusd_etc_t, user_cron_spool_t, abrt_t, lib_t, dnsmasq_t, afs_cache_t, abrt_helper_exec_t, NetworkManager_var_run_t, samba_var_t, ld_so_t, net_conf_t, textrel_shlib_t, etc_runtime_t, sysctl_kernel_t, crond_var_run_t, rpm_script_tmp_t, pppd_var_run_t, dnsmasq_etc_t, root_t.
Then execute:
restorecon -v 'pxelinux.0'
If you believe that dnsmasq should be allowed read access on the pxelinux.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)
All SELinux types, domains and users are defined in the SELinux policy you are using. Probably you can use a policy tool such as seedit or find it on a web of policy documentation or google it. When you use google, add the policy name into your search query ;-)
Hi again
I had to create a new pxe server from scratch and this time i just did restorecon -v "filename" on all of the below
semanage set system to know the path of your 'tftpboot' (or any directory that you label by semange) to type tftpdir_t
the common way is to use a regular expression (such as /tftboot/.* tftpdir_t)
so any new file or directory in /tftboot will ever be tftpdir_t selinux context type, of course until you change it by semanage
While the first use of semanage, it just set a rule to know the system about selinux context even it does NOT change the current context of those file!
You has to use 'restorecon' to restore default context that you've set by semange.
If you want to change context despite semanage default rules, use 'chcon' command (CLI), see 'man chcon'.
I guess this explanation is sufficient for beginning enough.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.