Bug 1415315

Summary: SELinux prevents cobbler from authenticating via PAM
Product: [Fedora] Fedora EPEL Reporter: Orion Poplawski <orion>
Component: cobblerAssignee: Orion Poplawski <orion>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: dominick.grift, dwalsh, extras-qa, jimi, lvrabec, mmalik, orion, plautrba, pvrabec, scott, ssekidde, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1384600 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1384600    
Bug Blocks:    

Description Orion Poplawski 2017-01-20 20:37:21 UTC 
+++ This bug was initially created as a clone of Bug #1384600 +++

Description of problem:

Trying to authenticate a user in cobbler via PAM fails:

type=AVC msg=audit(1476373827.693:553): avc:  denied  { create } for  pid=10174 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket permissive=0

Oct 13 09:50:27 vmf24 python2: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=USER
Oct 13 09:50:27 vmf24 python2: PAM audit_open() failed: Permission denied

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.4.noarch

--- Additional comment from Fedora Update System on 2017-01-09 09:03:05 EST ---

selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
Comment 2 Milos Malik 2017-01-23 06:58:14 UTC 
Could you switch the cobblerd_t domain to permissive, re-run your scenario and collect SELinux denials?

# semanage permissive -a cobblerd_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent

Thank you.
Comment 3 Orion Poplawski 2017-01-23 17:08:44 UTC 
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
----
type=SYSCALL msg=audit(01/23/2017 10:06:40.375:1311189) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28905 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:06:40.375:1311189) : avc:  denied  { create } for  pid=28905 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket
----
type=SYSCALL msg=audit(01/23/2017 10:07:41.466:1311200) : arch=x86_64 syscall=sendto success=yes exit=164 a0=0x42 a1=0x7fa8dd08eaa0 a2=0xa4 a3=0x0 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc:  denied  { audit_write } for  pid=28980 comm=cobblerd capability=audit_write  scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=capability
type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc:  denied  { nlmsg_relay } for  pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket
----
type=SYSCALL msg=audit(01/23/2017 10:07:41.465:1311199) : arch=x86_64 syscall=socket success=yes exit=66 a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:07:41.465:1311199) : avc:  denied  { create } for  pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket

# getsebool -a | grep cobbler
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> on
httpd_can_network_connect_cobbler --> on
httpd_serve_cobbler_files --> on