Fix TFTP read access for enforcing SELinux
This change adds ironic_tftp_master_path to the list of paths to get the tftpdir_t context, so that images copied from here to tftp_boot_folder will have a context which allows the file to be read. This change also applies the context changes when SELinux is in Permissive mode, as well as Enforcing. Change-Id: I43dd4a2f7cf47934bc9f5cdee85acf53a40dd468
This commit is contained in:
parent
b8ebbeb376
commit
0baff1e124
@ -502,6 +502,7 @@
|
||||
loop:
|
||||
- "{{ tftp_boot_folder }}"
|
||||
- "{{ tftp_boot_folder }}/pxelinux.cfg"
|
||||
- "{{ ironic_tftp_master_path }}"
|
||||
|
||||
- name: "Add proper context on created data for http_boot"
|
||||
sefcontext:
|
||||
@ -518,8 +519,9 @@
|
||||
loop:
|
||||
- "{{ http_boot_folder }}"
|
||||
- "{{ tftp_boot_folder }}"
|
||||
- "{{ ironic_tftp_master_path }}"
|
||||
when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and
|
||||
ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing"
|
||||
ansible_selinux.status == 'enabled'
|
||||
- name: "Configure remote logging"
|
||||
template: src=10-rsyslog-remote.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote.conf
|
||||
when:
|
||||
|
7
releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml
Normal file
7
releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
An issue has been fixed where enforcing SELinux resulted in files in
|
||||
``tftp_boot_folder`` not being readable by dnsmasq. This has been fixed by
|
||||
ensuring files in ``ironic_tftp_master_path`` have the SELinux context
|
||||
``tftpdir_t``.
|
Loading…
x
Reference in New Issue
Block a user