Bug 694468

Summary: avc: denied { search } for comm="cobblerd" name="satellite" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir
Product: Red Hat Satellite 5 Reporter: Milan Zázrivec <mzazrivec>
Component: ServerAssignee: Michael Mráka <mmraka>
Status: CLOSED ERRATA QA Contact: Šimon Lukašík <slukasik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 541CC: cperry, jhutar, jpazdziora, mmraka, mzazrivec, slukasik
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-selinux-1.2.1-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-17 02:43:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 702274    
Bug Blocks: 677501, 677509    

Description Milan Zázrivec 2011-04-07 13:20:29 UTC 
Description of problem:
* Satellite 5.4.1 @ RHEL-6.1
* Custom distribution kickstartable tree placed on Satellite's filer
(i.e. /var/satellite)
* creation of custom distribution in webui fails with an error message:

    The kernel could not be found at the specified location: ...

* Following SELinux denials show:

type=AVC msg=audit(1302172437.980:21641): avc:  denied  { search } for
 pid=1349 comm="cobblerd" name="satellite" dev=vda1 ino=929797 
scontext=unconfined_u:system_r:cobblerd_t:s0 
tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-80.el6.noarch
cobbler-2.0.7-8.el6sat.noarch

How reproducible:
Always

Steps to Reproduce:
1. Try to create custom distribution in Satellite webui (the path pointing
to a location on your filer)
  
Actual results:
The action fails, selinux denial occurs.

Expected results:
The action succeeds, no SELinux denials.

Additional info:
The thing works w/ SELinux permissive.

The same problem will most likely show with kickstart distributions
downloaded from RHN.
Comment 5 Michael Mráka 2011-05-10 14:00:01 UTC 
The spacewalk-selinux fix for bug 702274 also fixes this issue.
Comment 7 Šimon Lukašík 2011-05-17 10:05:33 UTC 
Verified as per bug 702274 comment 15.
Comment 8 Milan Zázrivec 2011-06-10 13:35:20 UTC 
Verified in stage w/ spacewalk-selinux-1.2.1-5 -> release pending.
Comment 9 Clifford Perry 2011-06-17 02:43:14 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html