James Laska wrote:
On Tue, 2008-12-16 at 08:24 -0500, James Laska wrote:
> On Mon, 2008-12-15 at 18:04 -0500, Michael DeHaan wrote:
>
>> I've now made these changes on the devel branch.
>>
>> Folks with EL 4 or EL 5 who are interested in contributing some testing
>> may want to try out Cobbler with SELinux enabled/permissive on EL 4.
>>
>> There is code in utils.py to remove some hardlinking when needed on EL 4
>> to enable the restorecon operations to be sent down as needed since
>> there is no public_content_t type but only tftpdir_t and httpd_sys_content_t
>>
> Using freshly built packages from the devel branch results in a lot of
> chcon failures while attempting to change the context of my nfs mounted
> storage ...
>
> # cobbler sync
> ...
> chcon operation failed: ['/usr/bin/chcon', '-t',
'public_content_t',
'/mnt/engarchive2/released/F-10/GOLD/Fedora/i386/os/images/pxeboot/vmlinuz-PAE']
> /usr/bin/chcon: failed to change context of
`/mnt/engarchive2/released/F-8/GOLD/Fedora/ppc/os/ppc/ppc32/vmlinuz' to
`system_u:object_r:public_content_t:s0': Read-only file system
> chcon operation failed: ['/usr/bin/chcon', '-t',
'public_content_t',
'/mnt/engarchive2/released/F-8/GOLD/Fedora/ppc/os/ppc/ppc32/vmlinuz']
>
> I have the following SELinux nfs-related booleans [un]set.
>
> httpd_use_nfs --> on
> nfs_export_all_ro --> on
> nfs_export_all_rw --> on
> qemu_use_nfs --> on
> virt_use_nfs --> off
>
More info ...
Unless otherwise specified on the cmdline or in /etc/fstab, I believe
nfs mounts get the context: nfs_t.
Do we need to check if the files are hosted on a local vs remote
filesystem before calling `chcon`?
Thanks,
James
------------------------------------------------------------------------
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
Yes, we do. Excellent catch.
There's a problem however in this in that if the content lives on NFS
(which it might, we can't symlink to them from tftpboot and /var/www for
the image files, we have to copy them, as they must be public_content_t
(or tftpdir_t and httpd_sys_content_t in the case of EL 4). Basically
if the file is remote we can't chcon it.
Getting all of the edge cases right for SELinux is insanely complicated.
--Michael