Ole Ersoy wrote: > Hi, > > I'm trying out cobbler on Fedora 10. I noticed that SELinux denies cobbler > access to: > > ./menu.c32 > > Also I see the following in the log: > > Dec 4 16:15:03 ole setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) > "read" to ./vmlinuz-PAE (httpd_sys_content_t). For complete SELinux messages. > run sealert -l ed35d123-47b4-4dee-89ee-ccb9e95497b4 > > This caused the pxe booting to spin constantly printing the message: > Could not find kernel image: /images/fedora10-i386/vmlinuz-PAE > > After disabling SELinux everything worked fine. > > I pasted the selinux summary below. Please let me know if I should add a > ticket for this. I did run the command: > setsebool -P httpd_can_network_connect true > > prior to attempting the run. > > Below is the summary of the ./menu.c32 denial. > > Cheers, > Ole > > Summary: > > SELinux is preventing in.tftpd (tftpd_t) "read" to ./menu.c32 (var_lib_t). > > Detailed Description: > > SELinux denied access requested by in.tftpd. It is not expected that this > access > is required by in.tftpd and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./menu.c32, > > restorecon -v './menu.c32' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:tftpd_t:s0-s0:c0.c1023 > Target Context system_u:object_r:var_lib_t:s0 > Target Objects ./menu.c32 [ file ] > Source in.tftpd > Source Path /usr/sbin/in.tftpd > Port <Unknown> > Source RPM Packages tftp-server-0.48-6.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-26.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Alert Count 4 > First Seen Thu 04 Dec 2008 03:23:19 PM CST > Last Seen Thu 04 Dec 2008 03:54:57 PM CST > Local ID be33bc6a-3d9c-47bb-8451-8deb16997450 > Line Numbers > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler >
Appreciate the report, changing SELinux policies are always fun. can you please file a bug at http://fedorahosted.org/cobbler ? (Accounts: https://admin.fedoraproject.org/accounts) We can probably get this in for 1.4.0, if not, a fix release shortly after. Thanks! --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
