| Summary: | SELinux is preventing /usr/sbin/getsebool from read access on the directory /selinux/booleans/. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Stuart Newman <stuart.j.newman> | ||||
| Component: | cobbler | Assignee: | James C. <jimi> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | el6 | CC: | awood, dgoodwin, dwalsh, jimi, mmalik, orion, shenson, syeghiay, vanmeeuwen+fedora | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-04-21 19:20:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Quick reproducer:
0) setenforce 1
1) yum install cobbler cobbler-web
2) service cobblerd start
3) service httpd restart
4) setsebool httpd_can_network_connect_cobbler on
5) cobbler check
6) ausearch -m AVC -ts recent
----
time->Thu Apr 19 15:52:39 2012
type=SYSCALL msg=audit(1334843559.296:21897): arch=40000003 syscall=5 success=no exit=-13 a0=bfea6f7c a1=98800 a2=3e6ff4 a3=ffffffff items=0 ppid=1850 pid=1978 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="getsebool" exe="/usr/sbin/getsebool" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1334843559.296:21897): avc: denied { read } for pid=1978 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
----
Created attachment 578657 [details]
AVCs which appeared in permissive mode
Why is cobbler setting booleans? Cobbler should not be doing anything with SELInux from within the app. I thought it was fixed in cobbler just to suggest it. I have no problem with it reading boolean settings but it will not be allowed to set them. (In reply to comment #6) > I have no problem with it reading boolean settings but it will not be allowed > to set them. Which I added. It does not set any booleans. It only uses getsebool for the "cobbler check" command to determine if see if it should suggest booleans that may need to be set by the user. James the avc's I see in Comment 3 from Milos shows cobbler executing semanage? You're correct, I missed that in that attachment. What it's doing is using "semanage fcontext -l" to find files that match certain types (again in action_check.py), it's not setting anything:
> data3 = utils.subprocess_get(self.logger,"/usr/sbin/semanage fcontext -l | grep public_content_t",shell=True)
I'm sure there's a better way to do it than that, but that's where the AVC is coming from. As far as I know, that was added quite a while back (git blame says 6/30/2009) so it's odd that AVCs are just now cropping up from this.
You should either use matchpathcon or grep /etc/selinux/*/contexts/files/file_context Shouldn't all of these be set to httpd_cobbler_content_t? /var/www/cobbler(/.*)? system_u:object_r:httpd_cobbler_content_t:s0 /var/www/cobbler/pub(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/links(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/images(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/rendered(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/ks_mirror(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/localmirror(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/repo_mirror(/.*)? system_u:object_r:cobbler_var_lib_t:s0 Also, "/var/lib/cobbler/webui_sessions(/.*)?" should be set to httpd_sys_rw_content_t (it was moved from /usr/share/cobbler). These checks exist because the default policy is incorrect I think. If that's corrected, we can drop the checks entirely. In the mean time, I'll modify the code to use the methods above and remove the calls to semanage. Similarly, why are these being set to cobbler_var_lib_t? /var/lib/tftpboot(/.*)? system_u:object_r:tftpdir_rw_t:s0 /var/lib/tftpboot/etc(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/ppc(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/grub(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/s390x(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/images(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/pxelinux\.cfg(/.*)? system_u:object_r:cobbler_var_lib_t:s0 /tftpboot -d system_u:object_r:tftpdir_t:s0 /var/lib/tftpboot/yaboot -- system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/memdisk -- system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/menu\.c32 -- system_u:object_r:cobbler_var_lib_t:s0 /var/lib/tftpboot/pxelinux\.0 -- system_u:object_r:cobbler_var_lib_t:s0 I would think those aren't required, and should be left to tftpdir_rw_t, shouldn't they? All of the semanage code is removed in master, and will be in the next release (2.2.3). As I noted above, the policy needs to be updated to remove all of the subpaths from www/cobbler/ and the one new rule for /var/lib/cobbler/webui_sessions added. We have a wiki page for SELinux on our github site, which I'll be updating with much more information in regards to ensuring the policy is correctly configured on end-users machines. |
Description of problem:SELinux is preventing /usr/sbin/getsebool from read access on the directory /selinux/booleans/. SELinux is preventing /usr/sbin/getsebool from read access on the directory /selinux/booleans/. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that getsebool should be allowed read access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep getsebool /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:security_t:s0 Target Objects /selinux/booleans/ [ dir ] Source getsebool Source Path /usr/sbin/getsebool Port <Unknown> Host fiat Source RPM Packages libselinux-utils-2.0.94-5.2.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-126.el6_2.10 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fiat Platform Linux fiat 2.6.32-220.13.1.el6.x86_64 #1 SMP Thu Mar 29 11:46:40 EDT 2012 x86_64 x86_64 Alert Count 1 First Seen Thu 19 Apr 2012 09:11:21 AM EDT Last Seen Thu 19 Apr 2012 09:11:21 AM EDT Local ID 7c9ae146-bcf5-4ea1-b33d-c49f914ef04c Raw Audit Messages type=AVC msg=audit(1334841081.897:37262): avc: denied { read } for pid=11168 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir Version-Release number of selected component (if applicable): How reproducible:always Steps to Reproduce: 1.Run cobbler check with cobbler 2.2.1 or 2.2.2 2. 3. Actual results: sealert Expected results:no alert Additional info: