Bug 658410
Summary: | SELinux denials with Cobbler on RHEL 6 | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Mark Chappell <tremble> | ||||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 6.0 | CC: | dwalsh, ksrot, mchappel, mmalik, shenson | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | selinux-policy-3.7.19-59.el6 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | |||||||||||
: | 658822 (view as bug list) | Environment: | |||||||||
Last Closed: | 2011-05-19 11:57:09 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 658822 | ||||||||||
Attachments: |
|
Description
Mark Chappell
2010-11-30 09:41:34 UTC
Miroslav back port the cobbler and tftp policy from Rawhide, should cover most of these. Fixed in selinux-policy-3.7.19-59.el6 Hello Mark, did you have a chance to retest it with selinux-policy-3.7.19-59.el6 (or newer)? Karel, As far as I can tell the latest policy generally available is 3.7.19-54.el6_0.3, but I could try grabbing one of the more recent ones from brewweb. I'll try to get our office dev environment back up running and let you know. Mark The next preview release of selinux-policy is always available in a yum repository on http://people.redhat.com/dwalsh/SELinux/RHEL6 Created attachment 491730 [details]
Audit Log from enforcing mode
Created attachment 491731 [details]
Audit Log from permissive mode
Created attachment 491732 [details]
Output from restorecon
I've just tried selinux-policy-targeted-3.7.19-84.el6.noarch However I'm still seeing failures when SELinux is in enforcing mode. The restorecon output is the output of restorecon after I've run in permissive mode. Mark Can you make sure everything is labelled correctly Maybe remove /var/lib/tftpboot altogether then install selinux-policy-targeted and reinstall cobbler and tftpboot, Then check the labeling. Then run the test. I see in your avc's some mention of default_t I thought I'd already done a full relabel, apparently not. The new policy does indeed seem to be doing the job, thanks all. Bah, more denials.... Looks like apache isn't able to read the cobbler files to serve them. type=AVC msg=audit(1304352033.736:94269): avc: denied { read } for pid=1747 comm="httpd" name="RHEL-6-U0-Workstation-x86_64" dev=dm-2 ino=11386881 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=dir # rpm -qa 'cobbler*' 'selinux-policy*' selinux-policy-3.7.19-84.el6.noarch selinux-policy-targeted-3.7.19-84.el6.noarch cobbler-2.0.10-1.el6.noarch An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |