Bug 816596

Summary: cobbler 2.2 requires new access permissions
Product: Red Hat Enterprise Linux 6 Reporter: Jan Pazdziora <jpazdziora>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: awood, dgoodwin, dominick.grift, dwalsh, joe, jpazdziora, mgrepl, mmalik, mzazrivec, shenson, vanmeeuwen+fedora
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 765916 Environment:
Last Closed: 2012-10-15 14:41:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 765916    
Bug Blocks:    

Description Jan Pazdziora 2012-04-26 13:26:35 UTC 
+++ This bug was initially created as a clone of Bug #765916 +++

Created attachment 544628 [details]
cobbler AVC log

Description of problem: Cobbler 2.2.1 is sitting in Fedora updates-testing, but it requires new access permissions to perform a sync.


Version-Release number of selected component (if applicable):
cobbler-2.2.1-1.fc15.noarch
selinux-policy-3.9.16-48.fc15.noarch


How reproducible: Always


Steps to Reproduce:
1. Upgrade cobber 2.0.11 to 2.2.1
2. Log in to web interface
3. Click on "Sync" link.
  
Actual results:
Sync fails with permission denied errors.


Expected results:
Sync completes.


Additional info:
I am attaching the AVC log of the denials that I had to allow in order for Sync to work successfully.

--- Additional comment from mike on 2011-12-09 12:28:25 EST ---

I forgot to add that the AVC log also includes denials for cobblerd. I had to enable those as well to get the service cobblerd to start so I could log in to the web interface.

--- Additional comment from mgrepl on 2011-12-13 03:56:19 EST ---

Michael,
could you reproduce it with

# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
# service auditd restart

and then try to click on "Sync" link in permissive mode.

Then we will see full path of dirs, files.

Thank you.

--- Additional comment from mike on 2011-12-13 09:11:08 EST ---

I'm really pressed for time.

The Cobbler maintainer needs to fix this.

--- Additional comment from dwalsh on 2011-12-13 14:17:59 EST ---

Michael you have a file named tftp that is labeled etc_t that cobbler wants to write to.

The commands Miroslav gave you will allow you to generate AVC messages with full paths.  Without that we have no idea what is going on here.

--- Additional comment from joe on 2012-02-22 14:40:04 EST ---

Created attachment 565080 [details]
cobbler sync AVC

Hi

Not sure this is the right place to post, but with Fedora 16 and Cobbler 2.2 I also get some AVC denials with cobbler sync.
One is for tftp file:
# find / -inum 266151
/etc/xinetd.d/tftp
Other is something with dhcpd service restart.

--- Additional comment from dwalsh on 2012-02-22 15:27:45 EST ---

Is cobbler rewriting the /etc/xinetd.d/tftp file?

--- Additional comment from joe on 2012-02-23 12:16:38 EST ---

Yes it is rewritten from a template when you run the sync.

--- Additional comment from dwalsh on 2012-02-23 17:21:06 EST ---

Well we will need a new type for this file and will only be able to fix this in F16 and F17.   

How does it replace the file. Does it create a temporary file and then rename it?  If so, what is the name of the file.

--- Additional comment from joe on 2012-03-06 13:00:43 EST ---

I don't actually know about that for sure. At least I didn't see an AVC for other file name.

What about the error with systemctl?

--- Additional comment from dwalsh on 2012-03-06 14:54:46 EST ---

Hopefully scott will answer the question about tftp file.

What is cobbler trying to do here?  Reload the inetd service?

--- Additional comment from fedora-admin-xmlrpc on 2012-04-11 18:00:00 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

--- Additional comment from jimi on 2012-04-16 22:14:55 EDT ---

Cobbler doesn't write a temp file, it rewrites the file in-place via a template (/etc/cobbler/tftpd.template).

--- Additional comment from dwalsh on 2012-04-17 10:08:39 EDT ---

Fixed in selinux-policy-3.10.0-117.fc17

--- Additional comment from updates on 2012-04-23 02:43:56 EDT ---

selinux-policy-3.10.0-117.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-117.fc17

--- Additional comment from updates on 2012-04-23 20:56:42 EDT ---

selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17

--- Additional comment from updates on 2012-04-23 23:14:38 EDT ---

Package selinux-policy-3.10.0-118.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17
then log in and leave karma (feedback).

--- Additional comment from mzazrivec on 2012-04-24 09:55:18 EDT ---

What does the fix for this bug actually look like?

Does the fix also allow that httpd_cobbler_content_t stuff? If so, wouldn't
the correct fix for that be what's mentioned in

    https://bugzilla.redhat.com/show_bug.cgi?id=813206#c4

?

--- Additional comment from updates on 2012-04-25 00:58:40 EDT ---

selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Jan Pazdziora 2012-04-26 13:35:05 UTC 
The same issue is present on RHEL 6 not that the cobbler 2.2 was pushed to EPEL:

# rpm -q cobbler selinux-policy-targeted
cobbler-2.2.1-1.el6.noarch
selinux-policy-targeted-3.7.19-126.el6.noarch

For the rendered / httpd_cobbler_content_t, we have bug 813206 because I believe the cobbler package should just package that directory and let rpm do its job, creating and labelling the directory properly. (Even if you seem to have done some change in the policy (allow, perhaps?) for Fedora.) In any case, creating the directory /var/www/cobbler/rendered and restoreconning fixes the issue.

The tftp / etc_t issue is more important as it does not seem to have nice workaround. The cobbler 2.0 did not try to write /etc/xinetd.d/tftp and I'm not sure to what extend cobbler is supposed to do that. But unless fixed, the AVC is there and cobbler sync command fails.
Comment 5 RHEL Program Management 2012-07-10 08:19:42 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 6 RHEL Program Management 2012-07-11 01:55:54 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 7 Miroslav Grepl 2012-10-15 14:41:27 UTC 

*** This bug has been marked as a duplicate of bug 816309 ***
Comment 8 Jan Pazdziora 2012-10-15 15:05:05 UTC 
(In reply to comment #7)
> 
> *** This bug has been marked as a duplicate of bug 816309 ***

Why do you think this is a dupe of bug 816309?
Comment 9 Dominick Grift 2012-10-15 15:56:45 UTC 
 avc:  denied  { getattr } for  pid=4257 comm="find" name="/" dev=dm-2 ino=128 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

That one is new

type=AVC msg=audit(1323448754.434:61382): avc:  denied  { write } for  pid=4175 comm="cobblerd" name="tftp" dev=dm-2 ino=436252 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

This is due to a i am wondering about 
What is the location of that file? (find / -inum 436252)

if it is "/etc/xinetd\.d/tftp" then it was created with a wrong type and it is mislabeled (is etc_t , should be tftpd_etc_t)

cobbler is allowed the create /etc/xinetd\.d/tftp with the right type

It seems someone or something else created it with a wrong type and now cobbler cannot write to it

Do you know who/what created the file

type=AVC msg=audit(1323448525.585:61353): avc:  denied  { write } for  pid=3798 comm="cobblerd" name="cobbler" dev=dm-2 ino=733227 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir

This is somehow mislabeled as well

We should probably change this in cobbler.fc:

# This should removable when cobbler package installs /var/www/cobbler/rendered
/var/www/cobbler(/.*)?				gen_context(system_u:object_r:httpd_cobbler_content_t,s0)

to

/var/www/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)


So that cobbler can manage content in this

httpd_t is allowed to read cobbler_var_lib_t files (probably also needs to be able to manage it
Comment 10 Dominick Grift 2012-10-15 16:14:18 UTC 
i guess we need a named file transition rule like so becuase i thing the rsync program runs in the user domain:

allow { unconfined_t sysadm_t } ftpd_etc_t:file manage_file_perms;
files_etc_filetrans({ unconfined_t sysadm_t }, tftpd_etc_t, file, "tftpd")
Comment 11 Dominick Grift 2012-10-15 16:15:22 UTC 
that is instead :

files_etc_filetrans({ unconfined_t sysadm_t }, tftpd_etc_t, file, "tftp")

ofcourse
Comment 12 Jan Pazdziora 2012-10-15 16:42:46 UTC 
Just a wild guess: isn't this an instance of issue caused by hardlinks? Hardlinks kill SELinux as based on different path you look at the same inode, it gets different label. The solution would be to patch cobbler to always copy, rather than hardlink (unless it already has an option to set that up).
Comment 13 Dominick Grift 2012-10-15 17:22:26 UTC 
or maybe it is the init script running cobbler sync in the initrc domain and creating /etc/xinetd.d/tftp (probably this)
Comment 14 Daniel Walsh 2012-10-16 12:13:21 UTC 
 sesearch -T -t etc_t -c file | grep tftp
type_transition cobblerd_t etc_t : file tftpd_etc_t "tftp"; 
type_transition firstboot_t etc_t : file tftpd_etc_t "tftp"; 
type_transition openshift_initrc_t etc_t : file tftpd_etc_t "tftp"; 
type_transition rpm_script_t etc_t : file tftpd_etc_t "tftp"; 
type_transition unconfined_t etc_t : file tftpd_etc_t "tftp"; 
type_transition livecd_t etc_t : file tftpd_etc_t "tftp"; 
type_transition kernel_t etc_t : file tftpd_etc_t "tftp"; 
type_transition rpm_t etc_t : file tftpd_etc_t "tftp"; 
type_transition anaconda_t etc_t : file tftpd_etc_t "tftp"; 
type_transition sysadm_t etc_t : file tftpd_etc_t "tftp"; 

Fedora 18 has this, the problem is RHEL6 has no way of doing this.
Comment 15 Miroslav Grepl 2012-10-16 12:21:23 UTC 
Yes, we are able to fix a lot of cobbler 2.2 issues but this will remain.
Comment 16 Dominick Grift 2012-10-16 12:28:31 UTC 
I guess create a domain for cobbler sync and allow initrc_t, sysadm_t and unconfined_t to run cobbler sync with a domain transition

then specify that cobbler_sync_t creates files in /etc directories with the tftp_etc_t file type.

Hopefully that will be the only file it creates in /etc.*

Else this wont work either
Comment 17 Jan Pazdziora 2012-10-16 13:15:40 UTC 
Couldn't /etc/xinetd.d/tftp be a symlink to a directory where cobbler would be free to do any manipulations, and cobbler patched to regenerate file in that directory, rather than fiddling with the /etc/xinetd.d/tftp directly?