Subject: | |
From: | |
Reply To: | |
Date: | Fri, 17 May 2019 09:08:15 -0600 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
On 5/17/19 7:07 AM, Teh, Kenneth M. wrote:
> Sorry. You're right. A moment of exasperation and frustration with systemd whose
> bits of config/info are strewn all over the place instead of everything in
> init.d. I guess I resent learning new ways of doing old things. Must be my age. :)
>
> Turned out the problem is dnsmasq's tftp module has no permission to read
> pxelinux.0 even though the file is 0644. Checked audit.log for possible selinux
> problem. Nothing.
>
> Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except for
> pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried an semanage
> fcontext/restorecon to change it just to see if dnsmasq would read it. Doesn't
> change. Nothing in journalctl. Used chcon. Changes it. But dnsmasq still cannot
> read the file.
>
> Finally set dnsmasq to run as root in its config. Works. Only thing I can think
> of is dnsmasq which apparently runs as nobody when started from systemd cannot
> read files it does not own.
>
Probably related:
--tftp-secure
Enable TFTP secure mode: without this, any file which is
readable by the dnsmasq process under normal unix access-
control rules is available via TFTP. When the --tftp-secure
flag is given, only files owned by the user running the dns‐
masq process are accessible. If dnsmasq is being run as
root, different rules apply: --tftp-secure has no effect,
but only files which have the world-readable bit set are
accessible. It is not recommended to run dnsmasq as root
with TFTP enabled, and certainly not without specifying
--tftp-root. Doing so can expose any world-readable file on
the server to any host on the net.
I'm still surprised it made a difference starting it by hand or by systemd.
>
> On 5/16/19 9:23 PM, Orion Poplawski wrote:
>> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote:
>>> Systemd continues to baffle me.
>>>
>>> I've set up a router machine that provides pxe boot and tftp services on a
>>> private network with dnsmasq. Pxeboot works if I run dnsmasq manually, but not
>>> when I turn on the service with systemctl.
>>>
>>> I can't think through its layers of obtuseness and would appreciate someone with
>>> a fresher brain to point me in the right direction.
>>>
>>
>> You don't give us much to work with. When you start it manually, what exactly
>> do you run? What does 'journalctl -u dnsmasq' report? Anything else that might
>> be relevant?
>>
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane [log in to unmask]
Boulder, CO 80301 https://www.nwra.com/
|
|
|