Bug 1415315
| Summary: | SELinux prevents cobbler from authenticating via PAM | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Orion Poplawski <orion> |
| Component: | cobbler | Assignee: | Orion Poplawski <orion> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | dominick.grift, dwalsh, extras-qa, jimi, lvrabec, mmalik, orion, plautrba, pvrabec, scott, ssekidde, vanmeeuwen+fedora |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1384600 | Environment: | |
| Last Closed: | 2024-07-09 15:36:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1384600 | ||
| Bug Blocks: | |||
|
Description
Orion Poplawski
2017-01-20 20:37:21 UTC
Could you switch the cobblerd_t domain to permissive, re-run your scenario and collect SELinux denials? # semanage permissive -a cobblerd_t (re-run your scenario) # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent Thank you. # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
----
type=SYSCALL msg=audit(01/23/2017 10:06:40.375:1311189) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28905 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:06:40.375:1311189) : avc: denied { create } for pid=28905 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket
----
type=SYSCALL msg=audit(01/23/2017 10:07:41.466:1311200) : arch=x86_64 syscall=sendto success=yes exit=164 a0=0x42 a1=0x7fa8dd08eaa0 a2=0xa4 a3=0x0 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc: denied { audit_write } for pid=28980 comm=cobblerd capability=audit_write scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=capability
type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc: denied { nlmsg_relay } for pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket
----
type=SYSCALL msg=audit(01/23/2017 10:07:41.465:1311199) : arch=x86_64 syscall=socket success=yes exit=66 a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:07:41.465:1311199) : avc: denied { create } for pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket
# getsebool -a | grep cobbler
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> on
httpd_can_network_connect_cobbler --> on
httpd_serve_cobbler_files --> on
EPEL 7 entered end-of-life (EOL) status on 2024-06-30. EPEL 7 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. |