Bug 670855

Summary: cobblerd denied access to /var/lib/tftpboot/grub/images
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-40.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-13 18:27:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2011-01-19 14:46:10 UTC 
Description of problem:

type=AVC msg=audit(1295448077.536:1970): avc:  denied  { read } for  pid=22566 comm="cobblerd" name="images" dev=dm-2 ino=327782 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1295448077.536:1970): arch=c000003e syscall=4 success=no exit=-13 a0=1bd8350 a1=7fff693e35c0 a2=7fff693e35c0 a3=62696c2f7261762f items=0 ppid=22565 pid=22566 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=270 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)

# restorecon -Rv /var/lib/tftpboot/grub/images
(produces no output)


Version-Release number of selected component (if applicable):
cobbler-2.0.10-1.fc14.noarch
selinux-policy-3.9.7-20.fc14.noarch
selinux-policy-targeted-3.9.7-20.fc14.noarch

How reproducible: Always


Steps to Reproduce:
1. Upgrade from Fedora 13 (working) to Fedora 14 (not working)
2. Start cobblerd service.
  
Actual results: cobblerd will not start.


Expected results: cobblerd started.


Additional info:

I created a custom policy to allow this access. cobblerd starts successfully.
Comment 1 Daniel Walsh 2011-01-19 15:46:24 UTC 
Looks like the labeling is in selinux-policy-3.9.7-22.fc14

yum -y update selinux-policy-targeted --enablerepo=updates-testing
Comment 2 Michael Cronenworth 2011-01-19 17:39:49 UTC 
(In reply to comment #1)
> Looks like the labeling is in selinux-policy-3.9.7-22.fc14
> 
> yum -y update selinux-policy-targeted --enablerepo=updates-testing

Unfortunately this update is not in updates-testing just yet (and not even in Bodhi).
Comment 3 Miroslav Grepl 2011-01-19 18:16:31 UTC 
Yes. You can install the latest build from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=214872
Comment 4 Michael Cronenworth 2011-05-13 18:27:02 UTC 
This was fixed a while back.