From 0baff1e12445624772e2436d04840316ee09763b Mon Sep 17 00:00:00 2001 From: Steve Baker Date: Mon, 11 Jul 2022 11:59:03 +1200 Subject: [PATCH] Fix TFTP read access for enforcing SELinux This change adds ironic_tftp_master_path to the list of paths to get the tftpdir_t context, so that images copied from here to tftp_boot_folder will have a context which allows the file to be read. This change also applies the context changes when SELinux is in Permissive mode, as well as Enforcing. Change-Id: I43dd4a2f7cf47934bc9f5cdee85acf53a40dd468 --- playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml | 4 +++- releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index 8c9f52392..71a7470e1 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -502,6 +502,7 @@ loop: - "{{ tftp_boot_folder }}" - "{{ tftp_boot_folder }}/pxelinux.cfg" + - "{{ ironic_tftp_master_path }}" - name: "Add proper context on created data for http_boot" sefcontext: @@ -518,8 +519,9 @@ loop: - "{{ http_boot_folder }}" - "{{ tftp_boot_folder }}" + - "{{ ironic_tftp_master_path }}" when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and - ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing" + ansible_selinux.status == 'enabled' - name: "Configure remote logging" template: src=10-rsyslog-remote.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote.conf when: diff --git a/releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml b/releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml new file mode 100644 index 000000000..e2b817134 --- /dev/null +++ b/releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + An issue has been fixed where enforcing SELinux resulted in files in + ``tftp_boot_folder`` not being readable by dnsmasq. This has been fixed by + ensuring files in ``ironic_tftp_master_path`` have the SELinux context + ``tftpdir_t``. \ No newline at end of file