Bug 670864

Summary: httpd denied read to /etc/cobbler/power
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-25.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-25 20:58:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2011-01-19 15:07:04 UTC 
Description of problem:

type=AVC msg=audit(1295447557.479:1884): avc:  denied  { read } for  pid=22205 comm="httpd" name="power" dev=dm-2 ino=732899 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1295447557.479:1884): arch=c000003e syscall=2 success=no exit=-13 a0=7f6eaae68420 a1=90800 a2=0 a3=206562207473756d items=0 ppid=3410 pid=22205 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

# restorecon -Rv /etc/cobbler
(produces no output)


Version-Release number of selected component (if applicable):
cobbler-2.0.10-1.fc14.noarch
selinux-policy-3.9.7-20.fc14.noarch
selinux-policy-targeted-3.9.7-20.fc14.noarch

How reproducible: Always


Steps to Reproduce:
1. Start cobblerd.
2. Attempt to login to cobbler via web interface.
3.
  
Additional info:

I've created a custom policy to allow this read.
Comment 1 Daniel Walsh 2011-01-19 15:55:39 UTC 
Not sure why apache is trying to read this directory?  But I would guess this is ok.
Comment 2 Daniel Walsh 2011-01-19 16:08:05 UTC 
The first two bugs look like we have marked them as fixed in policy.  We rely on the cobbler maintainers to make sure SELinux does not break when they update.  We can not know what is going to break and try to react as fast as possible.
Comment 3 Miroslav Grepl 2011-01-19 16:22:29 UTC 
We have in policy

cobbler_list_config(httpd_t)

But we have a bug in this interface.

Fixed in selinux-policy-3.9.7-23.fc14
Comment 4 Fedora Update System 2011-01-20 16:04:21 UTC 
selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
Comment 5 Fedora Update System 2011-01-20 19:54:44 UTC 
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
Comment 6 Fedora Update System 2011-01-25 20:57:43 UTC 
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.