Oct
09
2012
Fedora 17 Selinux Ugrade - Bump!

A customer of mine, had me approached to install a virtualization solution at his company.

The first goal was portability the second productivity.
I had to find a way (transparent from their employes) to remove their work environment from their hardware.

Productivity is easy … just remove any unnecessary software and keep their desktops as clean as they can be.

“Attention Span” is the big monster.

I found that with no-sound they couldnt listen to youtube or to internet radio stations or mp3 and they had to install a radio at their office.
One radio station, one music for all. That approach was much better than every other solution i could figure out.

Imaging a work space with 15 people, how every one wants to listen to a different music/news, youtube or whatever.
That was noise - and noise is the enemy!

As for portability - we dont want to use this old hardware - was easy enough too.
I’ve built a tinycorelinux image and convert every PC to a thin or thick client.
RDP to their Terminal Server was the only thing i had to ensure is working.

Dnsmasq is the simplest and best solution to do that (PXE).

created /tftpboot/ dir and worked my way through that.

I used fedora cause it is a virtualization box with all the latest versions of software.
I wanted to test fedora and selinux wasnt so bad after all.

Till the latest upgrade!


/tftpboot                                          directory          system_u:object_r:tftpdir_t:s0 
/tftpboot/.*                                       all files          system_u:object_r:tftpdir_t:s0

dnsmasq now needs dnsmasq_t


type=AVC msg=audit(1349450414.500:20456): avc:  denied  { read } for  pid=27175 comm="dnsmasq" name="tftpboot" dev="dm-1" ino=524451 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:tftpdir_t:s0 tclass=dir

relabeling is out of question.

The solution is to transfer all the necessaries files to a new directory that


semanage fcontext -l 

doesnt marked as something else and chcon the entire directory (recursive) to label to dnsmasq_t all files and dirs.

or to add a new policy rule that accepts dnsmasq_t for /tftpboot directory
or DISABLE selinux cause you’ll never now what else will through to you !

Its unacceptable to make such core changes without have a plan for backwards compatibility or a way to inform your faithful admin that he/shee will have a problem because you have destroyed everything he/she built the last year!.