Michael DeHaan wrote: > Michael DeHaan wrote: >> I've been doing a good amount of testing with Cobbler on SELinux, and >> basically there are a few things that have been changed: >> >> (A) Anton's patch to do the SELinux contexts for koan LVM parititions >> (B) Closing file descriptors any time there is a subprocess call >> (close_fds=True) throughout cobbler. >> (C) Calling restorecon in various copies within cobbler to ensure >> tftpboot context (among other things) is correct. >> >> Combing all of these changes together should make Cobbler + koan >> SELinux happy again. When testing, you are encouraged to run in >> permissive mode (strict if you like) and also have >> setroubleshoot installed. >> >> The goal should be that there are /no/ warnings from setroubleshoot >> whatsoever from running any Cobbler or koan operation. If you see >> any, let us know. >> >> This worked nicely for previous Cobbler versions on older OS's, but >> as SELinux grows in scope and the policy changes, it's important to >> keep an eye out for these things -- especially because Cobbler is >> glue between a lot of different things that all need to play nice >> with one another. >> >> Thanks! >> >> --Michael >> _______________________________________________ >> cobbler mailing list >> [email protected] >> https://fedorahosted.org/mailman/listinfo/cobbler > > It's actually more complicated than just this. > > Before we were symlinking if possible (or hardlinking, if possible) > content between the source (anywhere on any accessible filesystem) and > /var/www and /var/lib/tftpboot or /tftpboot. Tftpboot can't do > symlinks because it's chroot -- but you get the basic idea. It turns > out that SELinux needs the correct content on the source as well as > the links, and in the case of linking, we need public_content_t. > Except public_content_t is not present in RHEL 4. So, hence some > interesting workarounds in utils.py are needed. We need something more > advanced than just restorecon. > > The new behavior, which I'm working on, is to set the permission of > the source content to public_content_t if not on RHEL 4, and if on > RHEL 4, avoid symlinking and hardlinking when SELinux is enabled > (which will take up more space) -- however it will ensure SELinux > correctness (knock on silicon) on all platforms. In either case, also > ensure the correct content type of the symlinks themselves via > restorecon. > > --Michael > >
I've now made these changes on the devel branch. Folks with EL 4 or EL 5 who are interested in contributing some testing may want to try out Cobbler with SELinux enabled/permissive on EL 4. There is code in utils.py to remove some hardlinking when needed on EL 4 to enable the restorecon operations to be sent down as needed since there is no public_content_t type but only tftpdir_t and httpd_sys_content_t I'll also pound on this tomorrow. _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
