Bug 813206

Summary: Default Spacewalk 1.7 install - selinux prevents 'cobbler sync'
Product: [Fedora] Fedora EPEL Reporter: Morgan Cox <morgancoxuk>
Component: cobblerAssignee: James C. <jimi>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: high    
Version: el6CC: awood, dgoodwin, jhutar, jimi, jpazdziora, mgrepl, shenson, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 2.2.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-06 12:32:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Morgan Cox 2012-04-17 08:50:57 UTC 
Description of problem: I have done a default install on a Centos 6 server as outlined 

https://fedorahosted.org/spacewalk/wiki/HowToInstall

By default selinux is preventing me doing a 'cobbler sync'


Version-Release number of selected component (if applicable):

spacewalk-postgresql-1.7.3-1.el6.noarch
cobbler-2.2.1-1.el6.noarch


How reproducible: 100% on both i386 and x86_64 servers


Steps to Reproduce:
1. Install spacewalk 
2. Setup spacewalk
3. try to cobbler sync
  
Actual results:

[root@spacewalk ~]# cobbler sync
task started: 2012-04-17_095020_sync
task started (id=Sync, time=Tue Apr 17 09:50:20 2012)
running pre-sync triggers
cleaning trees
mkdir: /var/www/cobbler/rendered
Exception occured: <type 'exceptions.OSError'>
Exception value: [Errno 13] Permission denied: '/var/www/cobbler/rendered'
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1280, in mkdir
    return os.makedirs(path,mode)
   File "/usr/lib64/python2.6/os.py", line 157, in makedirs
    mkdir(name, mode)

Exception occured: <type 'exceptions.TypeError'>
Exception value: not all arguments converted during string formatting
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 93, in run
    rc = self._run(self)
   File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 188, in runner
    return self.remote.api.sync(self.options.get("verbose",False),logger=self.logger)
   File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 701, in sync
    return sync.run()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 110, in run
    self.clean_trees()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 208, in clean_trees
    self.make_tftpboot()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 176, in make_tftpboot
    utils.mkdir(self.rendered_dir,logger=self.logger)
   File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1285, in mkdir
    raise CX(_("Error creating") % path)



Expected results:

cobbler sync should work fine without disabling selinux

Additional info:
Comment 1 Jan Pazdziora (Red Hat) 2012-04-17 08:59:42 UTC 
What are the AVC denials in /var/log/audit/audit.log?
Comment 2 Morgan Cox 2012-04-17 09:23:20 UTC 
Hi

type=AVC msg=audit(1334654492.334:43893): avc:  denied  { write } for  pid=3403 comm="cobblerd" name="cobbler" dev=md2 ino=2229490 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1334654492.334:43893): arch=c000003e syscall=83 success=no exit=-13 a0=7fe3cc0008c0 a1=1ed a2=3e687b3dc8 a3=7fe3dabec6c8 items=0 ppid=1 pid=3403 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null)

(I have never really understood SELINUX logs to be honest.....)
Comment 3 Jan Pazdziora (Red Hat) 2012-04-17 09:37:17 UTC 
Moving to Fedora EPEL / cobbler -- the AVC denial does not show any types / directories owned by Spacewalk.
Comment 4 Jan Pazdziora (Red Hat) 2012-04-20 12:44:45 UTC 
The problem seems to be caused by the fact that unlike the 2.0 rpm, the 2.2 does not contain all the subdirectories of /var/www/cobbler that cobbler would like to use:

$ rpm -qlp cobbler-2.2.2-1.el6.noarch.rpm | grep rendered
$ rpm -qlp cobbler-2.0.11-2.el6.noarch.rpm | grep rendered
/var/www/cobbler/rendered
$

If the rpm contained them, they'd be created with correct SELinux context (cobbler_var_lib_t, most probably) upon rpm installation and the daemon would not attempt to create them.
Comment 5 Miroslav Grepl 2012-04-27 12:40:13 UTC 
We have more issue.

1.#816309
=> there are wrong instructions

2. /var/www/cobbler/rendered needs to be owned by cobbler package so it needs to be part of payload

3. probably other issues

Scott, 
had you tested it with SELinux before you pushed a new version of cobbler?

We need to fix it ASAP. So any chance you could revert these changes?

RHEL6.3 Beta has been published, so this not a good time to make big changes in the policy.
Comment 6 James C. 2012-05-22 01:00:37 UTC 
I've corrected this in the cobbler.spec and setup.py file, so things should be installed correctly. This patch will be included in cobbler 2.2.3:

For now, manually creating the directory and running restorecon on it should get you up and running. If not please open a new issue on the official github issue tracker for cobbler: https://github.com/cobbler/cobbler/issues



# from master branch:

$ rpm -qif /var/www/cobbler/rendered|grep ^Name
Name        : cobbler

commit 285e3b5183b3b36576a0a60830d5eeaae57c428a
Author: James Cammarata <jimi>
Date:   Mon May 21 19:53:42 2012 -0500

    BUGFIX - adding some untracked directories and the new augeas lense to the setup.py and cobbler.spec files
Comment 7 James C. 2012-05-22 01:38:48 UTC 
*** Bug 819497 has been marked as a duplicate of this bug. ***
Comment 8 James C. 2012-06-06 12:32:21 UTC 
2.2.3-1 has been released, which resolves this bug.