LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

May 2019

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS May 2019

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: dnsmasq and systemd
From:	Orion Poplawski <[log in to unmask]>
Reply To:	Orion Poplawski <[log in to unmask]>
Date:	Fri, 17 May 2019 09:08:15 -0600
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (2891 bytes) , smime.p7s (3904 bytes)

On 5/17/19 7:07 AM, Teh, Kenneth M. wrote:
> Sorry. You're right. A moment of exasperation and frustration with systemd whose 
> bits of config/info are strewn all over the place instead of everything in 
> init.d. I guess I resent learning new ways of doing old things. Must be my age.  :)
> 
> Turned out the problem is dnsmasq's tftp module has no permission to read 
> pxelinux.0 even though the file is 0644. Checked audit.log for possible selinux 
> problem.  Nothing.
> 
> Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except for 
> pxelinux.0 (plus a few more) which are cobbler_var_lib_t.  Tried an semanage 
> fcontext/restorecon to change it just to see if dnsmasq would read it. Doesn't 
> change. Nothing in journalctl. Used chcon. Changes it. But dnsmasq still cannot 
> read the file.
> 
> Finally set dnsmasq to run as root in its config. Works.  Only thing I can think 
> of is dnsmasq which apparently runs as nobody when started from systemd cannot 
> read files it does not own.
> 

Probably related:

       --tftp-secure
              Enable  TFTP  secure  mode:  without this, any file which is
              readable by the dnsmasq process under  normal  unix  access-
              control  rules is available via TFTP. When the --tftp-secure
              flag is given, only files owned by the user running the dns‐
              masq  process  are  accessible.  If  dnsmasq is being run as
              root, different rules apply: --tftp-secure  has  no  effect,
              but  only  files  which  have the world-readable bit set are
              accessible. It is not recommended to  run  dnsmasq  as  root
              with  TFTP  enabled,  and  certainly  not without specifying
              --tftp-root. Doing so can expose any world-readable file  on
              the server to any host on the net.

I'm still surprised it made a difference starting it by hand or by systemd.

> 
> On 5/16/19 9:23 PM, Orion Poplawski wrote:
>> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote:
>>> Systemd continues to baffle me.
>>>
>>> I've set up a router machine that provides pxe boot and tftp services on a
>>> private network with dnsmasq.  Pxeboot works if I run dnsmasq manually, but not
>>> when I turn on the service with systemctl.
>>>
>>> I can't think through its layers of obtuseness and would appreciate someone with
>>> a fresher brain to point me in the right direction.
>>>
>>
>> You don't give us much to work with.  When you start it manually, what exactly 
>> do you run?  What does 'journalctl -u dnsmasq' report?  Anything else that might 
>> be relevant?
>>


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       [log in to unmask]
Boulder, CO 80301                 https://www.nwra.com/

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV