Bug 1210366
Summary: | command "cobbler sync" produces AVC message | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Pavel Studeník <pstudeni> |
Component: | cobbler | Assignee: | Orion Poplawski <orion> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | jimi, lvrabec, mmalik, orion, plautrba, pvrabec, scott, ssekidde, tlestach, vanmeeuwen+fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pavel Studeník
2015-04-09 14:14:49 UTC
Were the AVCs caught in permissive mode? Where are the initrd.img (inode=72276915) and vmlinuz (inode=72276917) files located? # getenforce Enforcing # ls -lZ /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/ -rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img -rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz # cobbler sync task started: 2015-04-09_101038_sync task started (id=Sync, time=Thu Apr 9 10:10:38 2015) running pre-sync triggers cleaning trees removing: /var/www/cobbler/images/ks-rhel-x86_64-server-7-70 removing: /var/www/cobbler/images/ks-rhel-x86_64-server-7-71 removing: /var/lib/tftpboot/pxelinux.cfg/default removing: /var/lib/tftpboot/grub/images removing: /var/lib/tftpboot/grub/efidefault removing: /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70 removing: /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71 removing: /var/lib/tftpboot/s390x/profile_list copying bootloaders copying: /usr/share/syslinux/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0 copying: /usr/share/syslinux/menu.c32 -> /var/lib/tftpboot/menu.c32 copying: /usr/share/syslinux/memdisk -> /var/lib/tftpboot/memdisk copying distros copying files for distro: ks-rhel-x86_64-server-7-70 trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70/initrd.img trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/vmlinuz -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/initrd.img -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/initrd.img copying files for distro: ks-rhel-x86_64-server-7-71 trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71/initrd.img trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/vmlinuz -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-71/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/initrd.img -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-71/initrd.img copying images generating PXE configuration files cleaning link caches generating PXE menu structure running post-sync triggers running python triggers from /var/lib/cobbler/triggers/sync/post/* running python trigger cobbler.modules.sync_post_restart_services running shell triggers from /var/lib/cobbler/triggers/sync/post/* running python triggers from /var/lib/cobbler/triggers/change/* running python trigger cobbler.modules.scm_track running shell triggers from /var/lib/cobbler/triggers/change/* *** TASK COMPLETE *** I added message of run in Permissive mode # getenforce Permissive # cobbler sync ... # tail -f /var/log/audit/audit.log type=AVC msg=audit(1428668419.140:1156): avc: denied { write } for pid=20855 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=204302495 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428668419.140:1156): arch=c000003e syscall=86 success=yes exit=0 a0=7f1e3c39aef0 a1=7f1e3c07b3f0 a2=7f1e5875ff88 a3=fffffff0 items=0 ppid=1 pid=20855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of the affected component. As a starting point you can use policy provided by selinux-policy package. For more details about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline. |