Bug 1415315
Summary: | SELinux prevents cobbler from authenticating via PAM | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Orion Poplawski <orion> |
Component: | cobbler | Assignee: | Orion Poplawski <orion> |
Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | dominick.grift, dwalsh, extras-qa, jimi, lvrabec, mmalik, orion, plautrba, pvrabec, scott, ssekidde, vanmeeuwen+fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1384600 | Environment: | |
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1384600 | ||
Bug Blocks: |
Description
Orion Poplawski
2017-01-20 20:37:21 UTC
Could you switch the cobblerd_t domain to permissive, re-run your scenario and collect SELinux denials? # semanage permissive -a cobblerd_t (re-run your scenario) # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent Thank you. # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent ---- type=SYSCALL msg=audit(01/23/2017 10:06:40.375:1311189) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28905 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(01/23/2017 10:06:40.375:1311189) : avc: denied { create } for pid=28905 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket ---- type=SYSCALL msg=audit(01/23/2017 10:07:41.466:1311200) : arch=x86_64 syscall=sendto success=yes exit=164 a0=0x42 a1=0x7fa8dd08eaa0 a2=0xa4 a3=0x0 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc: denied { audit_write } for pid=28980 comm=cobblerd capability=audit_write scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=capability type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc: denied { nlmsg_relay } for pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket ---- type=SYSCALL msg=audit(01/23/2017 10:07:41.465:1311199) : arch=x86_64 syscall=socket success=yes exit=66 a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(01/23/2017 10:07:41.465:1311199) : avc: denied { create } for pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket # getsebool -a | grep cobbler cobbler_anon_write --> off cobbler_can_network_connect --> off cobbler_use_cifs --> off cobbler_use_nfs --> on httpd_can_network_connect_cobbler --> on httpd_serve_cobbler_files --> on |