Merge "Fix TFTP read access for enforcing SELinux"

2022-09-02 19:23:29 +00:00 · 2022-09-02 19:23:29 +00:00 · 38b40461ca
parent d6e6d647c7 0baff1e124
commit 38b40461ca
2 changed files with 10 additions and 1 deletions
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -515,6 +515,7 @@
      loop:
        - "{{ tftp_boot_folder }}"
        - "{{ tftp_boot_folder }}/pxelinux.cfg"
+        - "{{ ironic_tftp_master_path }}"

    - name: "Add proper context on created data for http_boot"
      sefcontext:
@ -531,8 +532,9 @@
      loop:
        - "{{ http_boot_folder }}"
        - "{{ tftp_boot_folder }}"
+        - "{{ ironic_tftp_master_path }}"
  when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and
-         ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing"
+         ansible_selinux.status == 'enabled'
 - name: "Configure remote logging"
  template: src=10-rsyslog-remote.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote.conf
  when:
--- a/releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml
+++ b/releasenotes/notes/selinux-tftp-c37e34311238f8fd.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    An issue has been fixed where enforcing SELinux resulted in files in
+    ``tftp_boot_folder`` not being readable by dnsmasq. This has been fixed by
+    ensuring files in ``ironic_tftp_master_path`` have the SELinux context
+    ``tftpdir_t``.