[Spacewalk-list] selinux on CentOS 6.0
Jan Pazdziora
jpazdziora at redhat.com
Thu Jul 21 15:32:00 UTC 2011
On Tue, Jul 19, 2011 at 04:05:01PM +0100, John Hodrien wrote:
> I've just installed 1.4 on CentOS 6.0 with SELinux in targetted mode. I've
> never use spacewalk with SELinux enabled, and am very much a newbie to
> SELinux.
>
> To create a new distribution I copied the contents of DVD1 to
> /var/satellite/distros/centos-6.0, and tried to create a new distribution in
> the webui.
>
> This failed, for selinux reasons, and I couldn't work out how to fix it
> easily.
>
> Figuring that cobbler could read from its own directories, I moved it to
> /var/lib/cobbler/distros, and set the context of those files to be
> unconfined_u:object_r:cobbler_var_lib_t
>
> That step then worked, but it failed trying to setup tftp.
>
> audit2allow pointed me to an selinux boolean that'd cheer this step up.
>
> semanage boolean -m --on cobbler_anon_write
>
> That then all worked, until I came to create a new kickstart, and I had to
> add:
>
> allow cobblerd_t cobbler_var_lib_t:lnk_file read;
> allow cobblerd_t tftpdir_rw_t:lnk_file read;
> allow cobblerd_t var_lib_t:file { read getattr open };
>
> What *should* I have have done? Clearly I'm just bumbling around without
> knowing what I'm doing...
The right thing here would be to prevent cobbler from using hardlinks
altogether, as it only calls for trouble from SELinux point of view.
I don't know if it is possible with some configuration option thou --
I know we had to patch cobbler to make it work in the past:
http://www.adelton.com/docs/spacewalk/selinux-how-we-confined-spacewalk#id2730015
--
Jan Pazdziora
Principal Software Engineer, Satellite Engineering, Red Hat
More information about the Spacewalk-list
mailing list