Bug 621095

Summary: Multiple cobblerd_t denials on Fedora-13 running standard Spacewalk installation
Product: [Fedora] Fedora Reporter: Milan Zázrivec <mzazrivec>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 12   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-120.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 620503 Environment:
Last Closed: 2010-08-20 01:44:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 620503    
Bug Blocks:    

Description Milan Zázrivec 2010-08-04 08:46:56 UTC 
Cloning for Fedora-12 (supported platform for Spacewalk 1.1), showing
the same denials.

+++ This bug was initially created as a clone of Bug #620503 +++

Created an attachment (id=436078)
SELinux denials

Description of problem:
* Spacewalk 1.1 installation @ Fedora 13
* Multiple SELinux denials

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-39.fc13.noarch
cobbler-2.0.3.1-4.fc13.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install Spacewalk 1.1 @ Fedora 13
2. # grep denied /var/log/audit/audit.log | grep cobblerd_t
  
Actual results:
Multiple denials (see attachment).

Expected results:
No denials

Additional info:
There's xml-rpc communication going on between cobbler & taskomatic
(a cron-like daemon, part of standard Spacewalk / RHN Satellite
installation), which is denied by current selinux-policy.

The cobbler code allowing Spacewalk authentication:
/usr/lib/python2.6/site-packages/cobbler/modules/authn_spacewalk.py

Seeing this functionality is part of standard cobbler and selinux-policy
contains rules for cobblerd_t, this should (I believe) be allowed in
standard Fedora selinux-policy.

--- Additional comment from dwalsh on 2010-08-03 13:34:10 EDT ---

You might need to turn on some booleans.

 getsebool -a | grep cobbler

--- Additional comment from mzazrivec on 2010-08-03 15:25:38 EDT ---

# getsebool -a | grep cobbler
cobbler_anon_write --> on
httpd_can_network_connect_cobbler --> on
# grep denied /var/log/audit/audit.log |grep cobbler
type=AVC msg=audit(1280895846.661:47): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895846.665:48): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895846.665:49): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895846.665:50): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895846.665:51): avc:  denied  { name_connect } for  pid=1612 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1280895846.665:52): avc:  denied  { name_connect } for  pid=1612 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1280895900.033:62): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895900.033:63): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895900.033:64): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895900.033:65): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895900.033:66): avc:  denied  { name_connect } for  pid=1653 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1280895900.035:67): avc:  denied  { name_connect } for  pid=1653 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

--- Additional comment from mgrepl on 2010-08-04 03:58:52 EDT ---

We have these rules in Rawhide. I will add it to F13.
Comment 1 Daniel Walsh 2010-08-04 17:31:48 UTC 
Looks like we got to back port some policy from F13.
Comment 2 Miroslav Grepl 2010-08-05 11:33:37 UTC 
Fixed in selinux-policy-3.6.32-120.fc12
Comment 3 Fedora Update System 2010-08-05 13:18:27 UTC 
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
Comment 4 Fedora Update System 2010-08-05 23:22:35 UTC 
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
Comment 5 Fedora Update System 2010-08-20 01:38:48 UTC 
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.