Michael DeHaan wrote: > I've been doing a good amount of testing with Cobbler on SELinux, and > basically there are a few things that have been changed: > > (A) Anton's patch to do the SELinux contexts for koan LVM parititions > (B) Closing file descriptors any time there is a subprocess call > (close_fds=True) throughout cobbler. > (C) Calling restorecon in various copies within cobbler to ensure > tftpboot context (among other things) is correct. > > Combing all of these changes together should make Cobbler + koan SELinux > happy again. When testing, you are encouraged to run in permissive mode > (strict if you like) and also have > setroubleshoot installed. > > The goal should be that there are /no/ warnings from setroubleshoot > whatsoever from running any Cobbler or koan operation. If you see any, > let us know. > > This worked nicely for previous Cobbler versions on older OS's, but as > SELinux grows in scope and the policy changes, it's important to keep an > eye out for these things -- especially because Cobbler is glue between a > lot of different things that all need to play nice with one another. > > Thanks! > > --Michael > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler >
It's actually more complicated than just this. Before we were symlinking if possible (or hardlinking, if possible) content between the source (anywhere on any accessible filesystem) and /var/www and /var/lib/tftpboot or /tftpboot. Tftpboot can't do symlinks because it's chroot -- but you get the basic idea. It turns out that SELinux needs the correct content on the source as well as the links, and in the case of linking, we need public_content_t. Except public_content_t is not present in RHEL 4. So, hence some interesting workarounds in utils.py are needed. We need something more advanced than just restorecon. The new behavior, which I'm working on, is to set the permission of the source content to public_content_t if not on RHEL 4, and if on RHEL 4, avoid symlinking and hardlinking when SELinux is enabled (which will take up more space) -- however it will ensure SELinux correctness (knock on silicon) on all platforms. In either case, also ensure the correct content type of the symlinks themselves via restorecon. --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
