Bug 702274

Summary: AVC denial: cobbler getattr on /var/lib/rhn/kickstarts/wizard/ksname-kvm
Product: Red Hat Satellite 5 Reporter: Šimon Lukašík <slukasik>
Component: ProvisioningAssignee: Michael Mráka <mmraka>
Status: CLOSED ERRATA QA Contact: Šimon Lukašík <slukasik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 541CC: cperry, jhutar, jpazdziora, mminar, mmraka, mzazrivec
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-selinux-1.2.1-5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-17 02:43:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 677501, 694468    
Attachments:
Description Flags
snippet from catalina.out none

Description Šimon Lukašík 2011-05-05 09:02:30 UTC 
Description of problem:
Due to an AVC denial, cobbler is unable to getattr() on
/var/lib/rhn/kickstarts/wizard/ksname-kvm. As a result,
user is unable to create kickstart profile through API.

Version-Release number of selected component (if applicable):
Satellite.5.4.1 on RHEL6

How reproducible:
1 of 1 retrials.


Steps to Reproduce:
1. satellite-sync -c rhel-${arch}-server-6 \
   -c rhn-tools-rhel-${arch}-server-6
2. register a client system
3. add virtualization_host entitlement to the client
4. API client.kickstart.createProfile()


Actual results:
xmlrpclib.Fault: <Fault -1: 'redstone.xmlrpc.XmlRpcFault:
unhandled internal exception: XmlRpcException calling cobbler.'>

Expected results:
PASS

Additional info:
Regression against Satellite 5.4.0 on RHEL5.
Comment 1 Šimon Lukašík 2011-05-05 09:03:25 UTC 
Created attachment 497012 [details]
snippet from catalina.out
Comment 2 Šimon Lukašík 2011-05-05 09:04:13 UTC 
type=AVC msg=audit(1304585307.620:287728): avc:  denied  { getattr } for  pid=7764 comm="cobblerd" path="/var/lib/rhn/kickstarts/wizard/ksname-kvm-1--1.cfg" dev=dm-0 ino=3014681 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1304585341.040:287729): avc:  denied  { getattr } for  pid=7798 comm="cobblerd" path="/var/lib/rhn/kickstarts/wizard/ksname-kvm-1--1.cfg" dev=dm-0 ino=3014681 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1304585400.520:287730): avc:  denied  { getattr } for  pid=7846 comm="cobblerd" path="/var/lib/rhn/kickstarts/wizard/ksname-kvm-1--1.cfg" dev=dm-0 ino=3014681 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Comment 3 Šimon Lukašík 2011-05-05 09:08:42 UTC 
The following are additional AVC denials, which has occurred prior
the described failure.


type=AVC msg=audit(1304429820.302:276704): avc:  denied  { search } for  pid=29144 comm="cobblerd" name="satellite" dev=dm-0 ino=2886166 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.302:276704): avc:  denied  { search } for  pid=29144 comm="cobblerd" name="rhn" dev=dm-0 ino=2886219 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.302:276704): avc:  denied  { getattr } for  pid=29144 comm="cobblerd" path="/var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/vmlinuz" dev=dm-0 ino=3028813 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=file
type=AVC msg=audit(1304429820.396:276705): avc:  denied  { getattr } for  pid=29147 comm="cobblerd" path="/var/satellite" dev=dm-0 ino=2886166 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.396:276706): avc:  denied  { getattr } for  pid=29147 comm="cobblerd" path="/var/satellite/rhn" dev=dm-0 ino=2886219 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.399:276707): avc:  denied  { link } for  pid=29147 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=3028813 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=file
Comment 6 Martin Minar 2011-05-09 11:56:28 UTC 
*** Bug 703064 has been marked as a duplicate of this bug. ***
Comment 8 Michael Mráka 2011-05-10 09:42:54 UTC 
Fixed in spacewalk master by
commit c7030d3f79f5ee4a77900b455bcdd79313865129
    702274 - restore kickstart files context
commit 67aa9aadb05d3875c483fc926aa5e80c4fc5ae55
    702274 - fixed context of kickstart configs
commit 121140517b765134eeb56caff84fdbb88247ccf3
    702274 - allow cobblerd_t to read spacewalk_data_t

Fixed spacewalk package: spacewalk-selinux-1.5.1-1
Comment 9 Michael Mráka 2011-05-10 10:10:44 UTC 
Backported to SATELLITE-5.4 as
commit 13d48bb464d7a043846b6e519a0632e918b292d5
    702274 - restore kickstart files context 
    Conflicts:    
        selinux/spacewalk-selinux/spacewalk-selinux-enable
commit a50ee804bce9cf63fa3543def907118ab5c5000d
    702274 - fixed context of kickstart configs
commit 8055cebc4ee54f466eb9e569f05fc17ceca467c9
    702274 - allow cobblerd_t to read spacewalk_data_t
    Conflicts:    
        selinux/spacewalk-selinux/spacewalk.te
Comment 11 Jan Pazdziora (Red Hat) 2011-05-10 14:59:03 UTC 
Had to fix unconfined_u error on RHEL 5, Spacewalk master, 5df365a25f7a344b31fb8f24ed4a43a1db177516.

Pulling from ON_QA.
Comment 13 Jan Pazdziora (Red Hat) 2011-05-10 15:28:20 UTC 
(In reply to comment #11)
> Had to fix unconfined_u error on RHEL 5, Spacewalk master,
> 5df365a25f7a344b31fb8f24ed4a43a1db177516.
> 
> Pulling from ON_QA.

Cherry picked to SATELLITE-5.4, e08f8d4656432a984867b9183b8525c63ef14f66.

Tagged and built as spacewalk-selinux-1.2.1-5.
Comment 15 Šimon Lukašík 2011-05-17 10:04:34 UTC 
Changing to verified:

On rhel6 with the latest spacewalk-selinux package no AVC denial occurs
during the kickstart of virtualized guest through Satellite.

Testing procedure:
 - Automated test

Verified against:
spacewalk-selinux-1.2.1-5.el6sat
Comment 16 Milan Zázrivec 2011-06-08 10:05:56 UTC 
Verified in stage w/ spacewalk-selinux-1.2.1-5 -> release pending.
Comment 17 Clifford Perry 2011-06-17 02:43:20 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html