Re: (devel) summary of SELinux changes
Michael DeHaan wrote:
Michael DeHaan wrote:
> I've been doing a good amount of testing with Cobbler on SELinux, and
> basically there are a few things that have been changed:
>
> (A) Anton's patch to do the SELinux contexts for koan LVM parititions
> (B) Closing file descriptors any time there is a subprocess call
> (close_fds=True) throughout cobbler.
> (C) Calling restorecon in various copies within cobbler to ensure
> tftpboot context (among other things) is correct.
>
> Combing all of these changes together should make Cobbler + koan
> SELinux happy again. When testing, you are encouraged to run in
> permissive mode (strict if you like) and also have
> setroubleshoot installed.
>
> The goal should be that there are /no/ warnings from setroubleshoot
> whatsoever from running any Cobbler or koan operation. If you see
> any, let us know.
>
> This worked nicely for previous Cobbler versions on older OS's, but
> as SELinux grows in scope and the policy changes, it's important to
> keep an eye out for these things -- especially because Cobbler is
> glue between a lot of different things that all need to play nice
> with one another.
>
> Thanks!
>
> --Michael
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cobbler
It's actually more complicated than just this.
Before we were symlinking if possible (or hardlinking, if possible)
content between the source (anywhere on any accessible filesystem) and
/var/www and /var/lib/tftpboot or /tftpboot. Tftpboot can't do
symlinks because it's chroot -- but you get the basic idea. It turns
out that SELinux needs the correct content on the source as well as
the links, and in the case of linking, we need public_content_t.
Except public_content_t is not present in RHEL 4. So, hence some
interesting workarounds in utils.py are needed. We need something more
advanced than just restorecon.
The new behavior, which I'm working on, is to set the permission of
the source content to public_content_t if not on RHEL 4, and if on
RHEL 4, avoid symlinking and hardlinking when SELinux is enabled
(which will take up more space) -- however it will ensure SELinux
correctness (knock on silicon) on all platforms. In either case, also
ensure the correct content type of the symlinks themselves via
restorecon.
--Michael
I've now made these changes on the devel branch.
Folks with EL 4 or EL 5 who are interested in contributing some testing
may want to try out Cobbler with SELinux enabled/permissive on EL 4.
There is code in utils.py to remove some hardlinking when needed on EL 4
to enable the restorecon operations to be sent down as needed since
there is no public_content_t type but only tftpdir_t and httpd_sys_content_t
I'll also pound on this tomorrow.