Bug 668716

Summary: Selinux denials in cobbler during taskomatic task
Product: [Community] Spacewalk Reporter: Miroslav Suchý <msuchy>
Component: ServerAssignee: Michael Mráka <mmraka>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: low    
Version: 1.3   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-selinux-1.5.1-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-05 10:16:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 723481    

Description Miroslav Suchý 2011-01-11 11:31:15 UTC 
Description of problem:
see steps to reproduce

Version-Release number of selected component (if applicable):
Spacewalk 1.3 nightly

How reproducible:
always

Steps to Reproduce:
1. setenforce 1
2. install SW on Pg (probably not required)
3. wait till Cobbler Sync task from taskomatic start

  
Actual results:
In /var/log/cobbler/cobbler.log
Tue Jan 11 05:18:03 2011 - INFO | Exception occured: <class 'cobbler.cexceptions.CX'>
Tue Jan 11 05:18:03 2011 - INFO | Exception value: 'kernel not found: /var/satellite/rhn/kickstart/ks-rhel-i386-server-5/images/pxeboot/vmlinuz'
Tue Jan 11 05:18:03 2011 - INFO | Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 1759, in _dispatch
    return method_handle(*params)
   File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 761, in modify_distro
    return self.modify_item("distro",object_id,attribute,arg,token)
   File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 758, in modify_item
    return method(arg)
   File "/usr/lib/python2.6/site-packages/cobbler/item_distro.py", line 160, in set_kernel
    raise CX("kernel not found: %s" % kernel)

And in /var/log/audit/audit.log:
type=AVC msg=audit(1294745160.620:35470): avc:  denied  { search } for  pid=29651 comm="cobblerd" name="satellite" dev=dm-0 ino=2111208 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1294745160.620:35470): avc:  denied  { search } for  pid=29651 comm="cobblerd" name="rhn" dev=dm-0 ino=2112280 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1294745160.620:35470): avc:  denied  { getattr } for  pid=29651 comm="cobblerd" path="/var/satellite/rhn/kickstart/ks-rhel-i386-server-5/images/pxeboot/vmlinuz" dev=dm-0 ino=2364646 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1294745160.620:35470): arch=c000003e syscall=4 success=yes exit=0 a0=7f8a5000a090 a1=7f8a5e600a10 a2=7f8a5e600a10 a3=6d762f746f6f6265 items=0 ppid=1 pid=29651 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1294745160.663:35471): avc:  denied  { getattr } for  pid=29654 comm="cobblerd" path="/var/satellite" dev=dm-0 ino=2111208 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1294745160.663:35471): arch=c000003e syscall=6 success=yes exit=0 a0=7f8a5800c4c0 a1=7f8a5f000f70 a2=7f8a5f000f70 a3=20 items=0 ppid=1 pid=29654 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1294745160.663:35472): avc:  denied  { getattr } for  pid=29654 comm="cobblerd" path="/var/satellite/rhn" dev=dm-0 ino=2112280 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1294745160.663:35472): arch=c000003e syscall=6 success=yes exit=0 a0=7f8a5800c4c0 a1=7f8a5f000f70 a2=7f8a5f000f70 a3=20 items=0 ppid=1 pid=29654 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1294745160.668:35473): avc:  denied  { link } for  pid=29654 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=2364646 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1294745160.668:35473): arch=c000003e syscall=86 success=yes exit=0 a0=7f8a580040a0 a1=7f8a58025f20 a2=32807b27e0 a3=3833692d6c656872 items=0 ppid=1 pid=29654 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)

Expected results:
no errors with selinux enabled

Additional info:
Comment 1 Miroslav Suchý 2011-04-11 07:31:47 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 2 Miroslav Suchý 2011-04-11 07:36:30 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 3 Jan Pazdziora 2011-07-20 11:49:30 UTC 
Aligning under space16.
Comment 4 Michael Mráka 2011-08-05 10:16:41 UTC 
This bug has been fixed in Spacewalk 1.5 by
commit 121140517b765134eeb56caff84fdbb88247ccf3
    702274 - allow cobblerd_t to read spacewalk_data_t