Bug 658410
| Summary: | SELinux denials with Cobbler on RHEL 6 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Mark Chappell <tremble> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 6.0 | CC: | dwalsh, ksrot, mchappel, mmalik, shenson | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | selinux-policy-3.7.19-59.el6 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 658822 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2011-05-19 11:57:09 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 658822 | ||||||||||
| Attachments: |
|
||||||||||
Miroslav back port the cobbler and tftp policy from Rawhide, should cover most of these. Fixed in selinux-policy-3.7.19-59.el6 Hello Mark, did you have a chance to retest it with selinux-policy-3.7.19-59.el6 (or newer)? Karel, As far as I can tell the latest policy generally available is 3.7.19-54.el6_0.3, but I could try grabbing one of the more recent ones from brewweb. I'll try to get our office dev environment back up running and let you know. Mark The next preview release of selinux-policy is always available in a yum repository on http://people.redhat.com/dwalsh/SELinux/RHEL6 Created attachment 491730 [details]
Audit Log from enforcing mode
Created attachment 491731 [details]
Audit Log from permissive mode
Created attachment 491732 [details]
Output from restorecon
I've just tried selinux-policy-targeted-3.7.19-84.el6.noarch However I'm still seeing failures when SELinux is in enforcing mode. The restorecon output is the output of restorecon after I've run in permissive mode. Mark Can you make sure everything is labelled correctly Maybe remove /var/lib/tftpboot altogether then install selinux-policy-targeted and reinstall cobbler and tftpboot, Then check the labeling. Then run the test. I see in your avc's some mention of default_t I thought I'd already done a full relabel, apparently not. The new policy does indeed seem to be doing the job, thanks all. Bah, more denials....
Looks like apache isn't able to read the cobbler files to serve them.
type=AVC msg=audit(1304352033.736:94269): avc: denied { read } for pid=1747 comm="httpd" name="RHEL-6-U0-Workstation-x86_64" dev=dm-2 ino=11386881 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=dir
# rpm -qa 'cobbler*' 'selinux-policy*'
selinux-policy-3.7.19-84.el6.noarch
selinux-policy-targeted-3.7.19-84.el6.noarch
cobbler-2.0.10-1.el6.noarch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Using EPEL's version of Cobbler for RHEL6 various pieces of cobbler's functionality seem to be being blocked by the RHEL6 SELinux policy. It looks like a lot of Dominick Grift's recent work didn't make it into the RHEL6 policy. I've ended up with the following extra module... policy_module(rhit-cobbler, 1.0.8) require { type cobblerd_t; type tftpd_t; } #============= cobblerd_t ============== # Not sure if these two are needed - generated by audit2allow allow cobblerd_t self:capability fsetid; files_read_var_lib_files(cobblerd_t) # Cobbler uses rsync to syncronise distributions between servers and # creates/writes to /etc/rsyncd.conf rsync_manage_config(cobblerd_t) # and runs rsync on the "slave" corenet_tcp_connect_rsync_port(cobblerd_t) # Which are then written into /var/www/cobbler apache_manage_sys_content(cobblerd_t) miscfiles_manage_public_files(cobblerd_t) # Cobbler links a number of files into /var/lib/tftp which tftp should # be able to serve but end up with a cobbler based context cobbler_read_lib_files(tftpd_t)