James Laska wrote: > On Tue, 2008-12-16 at 08:24 -0500, James Laska wrote: > >> On Mon, 2008-12-15 at 18:04 -0500, Michael DeHaan wrote: >> >>> I've now made these changes on the devel branch. >>> >>> Folks with EL 4 or EL 5 who are interested in contributing some testing >>> may want to try out Cobbler with SELinux enabled/permissive on EL 4. >>> >>> There is code in utils.py to remove some hardlinking when needed on EL 4 >>> to enable the restorecon operations to be sent down as needed since >>> there is no public_content_t type but only tftpdir_t and httpd_sys_content_t >>> >> Using freshly built packages from the devel branch results in a lot of >> chcon failures while attempting to change the context of my nfs mounted >> storage ... >> >> # cobbler sync >> ... >> chcon operation failed: ['/usr/bin/chcon', '-t', 'public_content_t', >> '/mnt/engarchive2/released/F-10/GOLD/Fedora/i386/os/images/pxeboot/vmlinuz-PAE'] >> /usr/bin/chcon: failed to change context of >> `/mnt/engarchive2/released/F-8/GOLD/Fedora/ppc/os/ppc/ppc32/vmlinuz' to >> `system_u:object_r:public_content_t:s0': Read-only file system >> chcon operation failed: ['/usr/bin/chcon', '-t', 'public_content_t', >> '/mnt/engarchive2/released/F-8/GOLD/Fedora/ppc/os/ppc/ppc32/vmlinuz'] >> >> I have the following SELinux nfs-related booleans [un]set. >> >> httpd_use_nfs --> on >> nfs_export_all_ro --> on >> nfs_export_all_rw --> on >> qemu_use_nfs --> on >> virt_use_nfs --> off >> > > More info ... > > Unless otherwise specified on the cmdline or in /etc/fstab, I believe > nfs mounts get the context: nfs_t. > > Do we need to check if the files are hosted on a local vs remote > filesystem before calling `chcon`? > > Thanks, > James > > > ------------------------------------------------------------------------ > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler >
Yes, we do. Excellent catch. There's a problem however in this in that if the content lives on NFS (which it might, we can't symlink to them from tftpboot and /var/www for the image files, we have to copy them, as they must be public_content_t (or tftpdir_t and httpd_sys_content_t in the case of EL 4). Basically if the file is remote we can't chcon it. Getting all of the edge cases right for SELinux is insanely complicated. --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
