Bug 568801

Summary: SE alerts running RHN Sat 5.3/cobbler
Product: Red Hat Satellite 5 Reporter: Steve Reichard <sreichar>
Component: OtherAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED ERRATA QA Contact: Jan Hutaƙ <jhutar>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: cperry, dyordano, jhutar, psklenar
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: cobbler-2.0.7-10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-17 02:41:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 634222, 677501    

Description Steve Reichard 2010-02-26 16:32:31 UTC 
Description of problem:

Using Sat 5.3  as part of a config with SELinux permissive.

during cobbler config did perform documented steps:
# setsebool -P httpd_can_network_connect true
# semanage fcontext -a -t public_content_t "/var/lib/tftpboot/.*"

Note: Leading '/' in /var is missing in documentation.

Upon browsing for errors, can across the following:

# SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "getattr" to /images/ks-rhel-x86_64-server-5-u4/vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "getattr" to /images/ks-rhel-x86_64-server-5-u4/initrd.img (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "read" to /images/ks-rhel-x86_64-server-5-u4/vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "getattr" to /images/ks-rhel-x86_64-server-5-u4/vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "read" to /images/ks-rhel-x86_64-server-5-u4/initrd.img (spacewalk_data_t). 

Version-Release number of selected component (if applicable):

Sat 5.3

How reproducible:

Unknown

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jan Pazdziora (Red Hat) 2010-03-01 08:12:49 UTC 
Steve,

please paste or attach the output of

  # grep AVC /var/log/audit/audit.log

Thank you,

Jan
Comment 2 Jan Pazdziora (Red Hat) 2010-06-04 08:46:27 UTC 
As this is Satellite bugzilla, it cannot block Spacewalk tracker (only). Fixing.
Comment 3 Clifford Perry 2010-07-13 04:38:39 UTC 
Please re-open with requested information. 

Cliff
Comment 5 Jan Pazdziora (Red Hat) 2011-05-25 13:49:51 UTC 
The root cause for this issue is the fact that by default, cobbler makes hardlink between content in /var/satellite/rhn/kickstart, /var/www/cobbler, and /var/lib/tftpboot (/tftpboot on RHEL 5).

# ls -laZ /var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/ /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/ /var/www/cobbler/images/ks-rhel-x86_64-server-6-60/
/var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/:
drwxr-xr-x. root   root   unconfined_u:object_r:cobbler_var_lib_t:s0 .
drwxr-xr-x. root   root   unconfined_u:object_r:cobbler_var_lib_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz

/var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/:
drwxr-xr-x. apache apache unconfined_u:object_r:spacewalk_data_t:s0 .
drwxr-xr-x. apache apache unconfined_u:object_r:spacewalk_data_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz

/var/www/cobbler/images/ks-rhel-x86_64-server-6-60/:
drwxr-xr-x. root   root   unconfined_u:object_r:cobbler_var_lib_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz

# ls -li /var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/ /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/ /var/www/cobbler/images/ks-rhel-x86_64-server-6-60/
/var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/:
total 33032
1706764 -rw-r--r--. 3 apache apache 30031359 Sep 21  2010 initrd.img
1706765 -rw-r--r--. 3 apache apache  3791744 Sep 21  2010 vmlinuz

/var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/:
total 33032
1706764 -rw-r--r--. 3 apache apache 30031359 Sep 21  2010 initrd.img
1706765 -rw-r--r--. 3 apache apache  3791744 Sep 21  2010 vmlinuz

/var/www/cobbler/images/ks-rhel-x86_64-server-6-60/:
total 33032
1706764 -rw-r--r--. 3 apache apache 30031359 Sep 21  2010 initrd.img
1706765 -rw-r--r--. 3 apache apache  3791744 Sep 21  2010 vmlinuz

In the situation, the order in which the files are restorecon-ed matters -- if the last one restorecon-ed is /var/satellite, all the files will get spacewalk_data_t, if the last one is /var/lib/tftpboot or /var/www, all will get cobbler_var_lib_t.

The solution that we see for the problem is to prevent cobbler from using hardlinks. Cobbler uses hardlinks if the two locations are on the same filesystem. If they are not, it either symlinks or copies the files. A copy makes it possible to have different contexts for the files in question.
Comment 6 Jan Pazdziora (Red Hat) 2011-05-25 14:03:10 UTC 
Hardlinks disabled in cobbler in Satellite thirdparty, c9455273362806ae6e9d14fcbdd9da93159169f7.

Tagged and built as cobbler-2.0.7-10.
Comment 16 Clifford Perry 2011-06-17 02:41:27 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html