Bug 2353901
| Summary: | SELinux is preventing /usr/bin/python3.9 from read access on the directory /boot/efi/EFI | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | a.savchuk |
| Component: | cobbler | Assignee: | Orion Poplawski <orion> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel9 | CC: | a.savchuk, brejoc, kwizart, matrixfueller, ngompa13, orion |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
SELinux is preventing /usr/bin/python3.9 from read access on the directory /boot/efi/EFI/redhat.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/boot/efi/EFI/redhat default label should be boot_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /boot/efi/EFI/redhat
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that python3.9 should be allowed read access on the redhat directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
# semodule -X 300 -i my-cobblerd.pp
Additional Information:
Source Context system_u:system_r:cobblerd_t:s0
Target Context system_u:object_r:dosfs_t:s0
Target Objects /boot/efi/EFI/redhat [ dir ]
Source cobblerd
Source Path /usr/bin/python3.9
Port <Unknown>
Host <Unknown>
Source RPM Packages python3-3.9.21-1.el9_5.x86_64
Target RPM Packages efi-filesystem-6-2.0.1.el9_0.noarch
grub2-common-2.06-94.0.1.el9_5.noarch
SELinux Policy RPM selinux-policy-targeted-38.1.45-3.0.1.el9_5.noarch
Local Policy RPM cobbler-selinux-3.3.7-1.el9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name netboot.bp.local
Platform Linux netboot.bp.local
5.14.0-503.33.1.el9_5.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Mar 19 06:55:43 PDT 2025
x86_64 x86_64
Alert Count 11
First Seen 2025-03-19 20:08:34 +04
Last Seen 2025-03-20 20:42:56 +04
Local ID 6957e2e1-3a4c-4912-b630-4d354739cf5a
Raw Audit Messages
type=AVC msg=audit(1742488976.396:153): avc: denied { read } for pid=2112 comm="cobblerd" name="redhat" dev="sda1" ino=4 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1742488976.396:153): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f7a3f58df90 a2=90800 a3=0 items=0 ppid=1 pid=2112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root
Hash: cobblerd,cobblerd_t,dosfs_t,dir,read
SELinux is preventing /usr/bin/python3.9 from getattr access on the file /boot/efi/EFI/redhat/shim.efi.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/boot/efi/EFI/redhat/shim.efi default label should be boot_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /boot/efi/EFI/redhat/shim.efi
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that python3.9 should be allowed getattr access on the shim.efi file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
# semodule -X 300 -i my-cobblerd.pp
Additional Information:
Source Context system_u:system_r:cobblerd_t:s0
Target Context system_u:object_r:dosfs_t:s0
Target Objects /boot/efi/EFI/redhat/shim.efi [ file ]
Source cobblerd
Source Path /usr/bin/python3.9
Port <Unknown>
Host <Unknown>
Source RPM Packages python3-3.9.21-1.el9_5.x86_64
Target RPM Packages shim-x64-15.8-1.0.3.el9.x86_64
SELinux Policy RPM selinux-policy-targeted-38.1.45-3.0.1.el9_5.noarch
Local Policy RPM cobbler-selinux-3.3.7-1.el9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name netboot.bp.local
Platform Linux netboot.bp.local
5.14.0-503.33.1.el9_5.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Mar 19 06:55:43 PDT 2025
x86_64 x86_64
Alert Count 1
First Seen 2025-03-20 20:45:33 +04
Last Seen 2025-03-20 20:45:33 +04
Local ID 1d33dba9-f4b3-4e79-a746-729372392792
Raw Audit Messages
type=AVC msg=audit(1742489133.911:159): avc: denied { getattr } for pid=2112 comm="cobblerd" path="/boot/efi/EFI/redhat/shim.efi" dev="sda1" ino=11 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1742489133.911:159): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=ffffff9c a1=7f7a3f3aec90 a2=7f7a3f3649b0 a3=0 items=0 ppid=1 pid=2112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root
Hash: cobblerd,cobblerd_t,dosfs_t,file,getattr
|
Description of problem: SELinux is preventing /usr/bin/python3.9 from read access on the directory /boot/efi/EFI. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /boot/efi/EFI default label should be boot_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /boot/efi/EFI ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that python3.9 should be allowed read access on the EFI directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd # semodule -X 300 -i my-cobblerd.pp Additional Information: Source Context system_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects /boot/efi/EFI [ dir ] Source cobblerd Source Path /usr/bin/python3.9 Port <Unknown> Host <Unknown> Source RPM Packages python3-3.9.21-1.el9_5.x86_64 Target RPM Packages efi-filesystem-6-2.0.1.el9_0.noarch SELinux Policy RPM selinux-policy-targeted-38.1.45-3.0.1.el9_5.noarch Local Policy RPM cobbler-selinux-3.3.7-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name netboot.bp.local Platform Linux netboot.bp.local 5.14.0-503.33.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 19 06:55:43 PDT 2025 x86_64 x86_64 Alert Count 5 First Seen 2025-03-19 20:08:34 +04 Last Seen 2025-03-19 21:46:18 +04 Local ID 88821c8d-0c85-4815-8517-2f4988c79127 Raw Audit Messages type=AVC msg=audit(1742406378.613:9712): avc: denied { read } for pid=53773 comm="cobblerd" name="EFI" dev="sda1" ino=3 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1742406378.613:9712): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f01d0c45170 a2=90800 a3=0 items=0 ppid=1 pid=53773 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: cobblerd,cobblerd_t,dosfs_t,dir,read Version-Release number of selected component (if applicable): # rpm -qa cobbler* cobbler-selinux-3.3.7-1.el9.noarch cobbler-3.3.7-1.el9.noarch How reproducible: always Steps to Reproduce: 1. dnf install cobbler grub2-efi-x64-modules 2. systemctl start cobblerd 3. cobbler mkloaders Actual results: # cobbler mkloaders task started: 2025-03-20_193047_Create bootable bootloader images_331add81b3f24dc68ba25d714abd4ee4 task started (id=Create bootable bootloader images, time=Thu Mar 20 19:30:47 2025) start_task(mkloaders); event_id(2025-03-20_193047_Create bootable bootloader images_331add81b3f24dc68ba25d714abd4ee4) Unable to find the folder which should be scanned for "shim.efi"! Bailing out of linking the shim! GRUB2 modules directory for arch "aarch64" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "arm" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "arm64-efi" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "i386-efi" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "i386-pc-pxe" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "i686" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "IA64" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "powerpc-ieee1275" did no exist. Skipping GRUB2 creation grub2-mkimage failed for arch "x86_64-efi"! Maybe you did forget to install the grub modules for the architecture? Exception occurred: <class 'subprocess.CalledProcessError'> Exception value: Command '['grub2-mkimage', '--format', 'x86_64-efi', '--output', '/var/lib/cobbler/loaders/grub/grubx64.efi', '--prefix=', 'btrfs', 'ext2', 'xfs', 'jfs', 'reiserfs', 'all_video', 'boot', 'cat', 'configfile', 'echo', 'fat', 'font', 'gfxmenu', 'gfxterm', 'gzio', 'halt', 'iso9660', 'jpeg', 'linux', 'loadenv', 'minicmd', 'normal', 'part_apple', 'part_gpt', 'part_msdos', 'password_pbkdf2', 'png', 'reboot', 'search', 'search_fs_file', 'search_fs_uuid', 'search_label', 'sleep', 'test', 'true', 'video', 'mdraid09', 'mdraid1x', 'lvm', 'serial', 'regexp', 'tr', 'tftp', 'http', 'luks', 'gcry_rijndael', 'gcry_sha1', 'gcry_sha256', 'chain', 'efinet']' returned non-zero exit status 1. Exception Info: *** TASK COMPLETE *** Expected results: Cobbler can access to grub2 EFI files when SELinux is in enforcing mode.