On Fri, May 17, 2019 at 3:07 PM Teh, Kenneth M. <[email protected]> wrote: > On 5/16/19 9:23 PM, Orion Poplawski wrote: >> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote: >>> >>> Systemd continues to baffle me. >>> >>> I've set up a router machine that provides pxe boot and tftp >>> services on a private network with dnsmasq. Pxeboot works if I >>> run dnsmasq manually, but not when I turn on the service with >>> systemctl. >>> >>> I can't think through its layers of obtuseness and would >>> appreciate someone with a fresher brain to point me in the right >>> direction. >> >> You don't give us much to work with. When you start it manually, >> what exactly do you run? What does 'journalctl -u dnsmasq' report? >> Anything else that might be relevant? > > Sorry. You're right. A moment of exasperation and frustration with > systemd whose bits of config/info are strewn all over the place > instead of everything in init.d. I guess I resent learning new ways > of doing old things. Must be my age. :) > > Turned out the problem is dnsmasq's tftp module has no permission > to read pxelinux.0 even though the file is 0644. Checked audit.log > for possible selinux problem. Nothing. > > Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except > for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried > an semanage fcontext/restorecon to change it just to see if dnsmasq > would read it. Doesn't change. Nothing in journalctl. Used chcon. > Changes it. But dnsmasq still cannot read the file. > > Finally set dnsmasq to run as root in its config. Works. Only thing > I can think of is dnsmasq which apparently runs as nobody when > started from systemd cannot read files it does not own.
1) From the manpage --tftp-secure Enable TFTP secure mode: without this, any file which is readable by the dnsmasq process under normal unix access-control rules is available via TFTP. When the --tftp-secure flag is given, only files owned by the user running the dnsmasq process are accessible. If dnsmasq is being run as root, different rules apply: --tftp-secure has no effect, but only files which have the world-readable bit set are accessible. It is not recommended to run dnsmasq as root with TFTP enabled, and certainly not without specifying --tftp-root. Doing so can expose any world-readable file on the server to any host on the net. Are you using this option? 2) When you were testing and running it manually, were you setting command-line options or were you simply using the options in "/etc/dnsmasq.conf" like the systemd unit?
