Bug 1038767

Summary: SELinux prevents access to /sbin/consoletype during cobbler sync
Product: Red Hat Enterprise Linux 6 Reporter: Jonathan Underwood <jonathan.underwood>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, jonathan.underwood, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-02 22:53:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Strace of cobbler sync none

Description Jonathan Underwood 2013-12-05 19:18:35 UTC 
Description of problem:
With SELinux enforcing, issuing a cobbler sync results in:

..snip...
running: service dhcpd restart
received on stdout: Shutting down dhcpd: [  OK  ]
Starting dhcpd: [  OK  ]

received on stderr: /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied
..snip..

Putting SELinux into permissive prevents this from happening.

Unfortunately nothing is reported in audit.log as far as I can tell.



Version-Release number of selected component (if applicable):
# rpm -qa | grep cobbler
cobbler-2.4.0-1.el6.noarch

# rpm -qa | grep selinux
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-195.el6_4.18.noarch
pki-selinux-9.0.3-30.el6.noarch


How reproducible:
Everytime

Steps to Reproduce:
1. run cobbler sync
2.
3.

Actual results:
received on stderr: /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied

Expected results:
No error

Additional info:
Comment 1 Jonathan Underwood 2013-12-05 19:25:38 UTC 
Created attachment 833303 [details]
Strace of cobbler sync

strace -f -e write=1,2 cobbler sync 2>cobbler.strace output with SELinux in enforcing mode
Comment 2 Miroslav Grepl 2013-12-06 08:55:37 UTC 
We would need to see AVC msgs.
Comment 3 Jonathan Underwood 2013-12-09 19:39:35 UTC 
As I stated above, no AVC messages are seen in audit.log - this is why I attached the strace.
Comment 4 Miroslav Grepl 2013-12-10 07:56:56 UTC 
Does it work in permissive mode?
Comment 5 Jonathan Underwood 2013-12-10 13:42:46 UTC 
(In reply to Miroslav Grepl from comment #4)
> Does it work in permissive mode?

Yes, as I mentioned in the original report, switching to permissive (setenforce 0) makes everything work as it should, and the message "received on stderr: /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied" is not displayed.
Comment 6 Daniel Walsh 2013-12-11 21:58:21 UTC 
Could you try with dontaudit rules off.

#semodule -DB
Generate the AVCs

Look for consoletype command and see if there are AVCs related.
#semodule -B

Will turn dontaudit rules back on.
Comment 7 Jonathan Underwood 2013-12-16 17:18:27 UTC 
Hm. Unfortunately I can no longer reproduce the problem. I notice the system has recently updated to selinux-policy-targeted-3.7.19-231.el6.noarch, so perhaps that addressed the issue somehow. I'll close this and re-open it if I see it again.