RHEL: selinux blocking blocking to start kickstart

Question

I am having issue when I select a kick start profile to start installation after PXE boot. On the network installation server (same DHCP server) side I can see the following error in /var/log/messages when I hit this issue.

Nov 13 17:42:30 desktop10 dhcpd: DHCPDISCOVER from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:30 desktop10 dhcpd: DHCPOFFER on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: Dynamic and static leases present for 192.168.174.2.
Nov 13 17:42:32 desktop10 dhcpd: Remove host declaration desktopy or remove 192.168.174.2
Nov 13 17:42:32 desktop10 dhcpd: from the dynamic address pool for 192.168.174/24
Nov 13 17:42:32 desktop10 dhcpd: DHCPREQUEST for 192.168.174.2 (192.168.174.10) from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: DHCPACK on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 in.tftpd[20546]: tftp: client does not accept options
Nov 13 17:42:36 desktop10 setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (httpd_sys_content_t). For complete SELinux messages. run sealert -l 97c61847-7ea2-435f-bede-c95302b034f5**

On server the the selinux security contents

[root@desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz

Note: desktop10 is RHEL5.6, if I change selinux to permissive then I can proceed with installation.

Can someone help me to sort out this issue? Please let me know if anyone need more info.

Tried as suggested in the comment but no luck

  [root@desktop10 ~]# restorecon -Rv /tftpboot/
  [root@desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
  -rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz

score 0 · Answer 1 · answered Nov 14 '13 at 06:46

0

Your files are labeled by 'httpd_sys_content_t' that is not acceptable label for kickstart. It looks you copied the file from an apache directory or you create the file from a web appliaction running on apache.

Relabel directory by default labels:

[root@localhost /]# restorecon -Rv /tftpboot

answered Nov 14 '13 at 06:46

Martin Strejc

4,307
2
23
38

Tried but no luck. edited my original question and left the output in the bottom of the question. Let me know if you need more info. – user2410557 Nov 14 '13 at 14:31
Could you add results of 'semanage fcontext -l | grep tftp' command, please? It is helpful to see your default SELinux labeling. – Martin Strejc Nov 16 '13 at 21:35

score 0 · Answer 2 · answered Dec 19 '13 at 20:51

0

I think it may work if you try to relabel the directory with tftpd context tftpd_rw_t:

# semanage fcontext -a -t tftpd_rw_t '/tftpboot(/.*)?'
# restorecon -R -v /tftpboot

answered Dec 19 '13 at 20:51

shardan

113
4

RHEL: selinux blocking blocking to start kickstart

2 Answers2