Bug 816596
Summary: | cobbler 2.2 requires new access permissions | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Pazdziora <jpazdziora> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | awood, dgoodwin, dominick.grift, dwalsh, joe, jpazdziora, mgrepl, mmalik, mzazrivec, shenson, vanmeeuwen+fedora |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 765916 | Environment: | |
Last Closed: | 2012-10-15 14:41:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 765916 | ||
Bug Blocks: |
Description
Jan Pazdziora
2012-04-26 13:26:35 UTC
The same issue is present on RHEL 6 not that the cobbler 2.2 was pushed to EPEL: # rpm -q cobbler selinux-policy-targeted cobbler-2.2.1-1.el6.noarch selinux-policy-targeted-3.7.19-126.el6.noarch For the rendered / httpd_cobbler_content_t, we have bug 813206 because I believe the cobbler package should just package that directory and let rpm do its job, creating and labelling the directory properly. (Even if you seem to have done some change in the policy (allow, perhaps?) for Fedora.) In any case, creating the directory /var/www/cobbler/rendered and restoreconning fixes the issue. The tftp / etc_t issue is more important as it does not seem to have nice workaround. The cobbler 2.0 did not try to write /etc/xinetd.d/tftp and I'm not sure to what extend cobbler is supposed to do that. But unless fixed, the AVC is there and cobbler sync command fails. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. *** This bug has been marked as a duplicate of bug 816309 *** (In reply to comment #7) > > *** This bug has been marked as a duplicate of bug 816309 *** Why do you think this is a dupe of bug 816309? avc: denied { getattr } for pid=4257 comm="find" name="/" dev=dm-2 ino=128 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem That one is new type=AVC msg=audit(1323448754.434:61382): avc: denied { write } for pid=4175 comm="cobblerd" name="tftp" dev=dm-2 ino=436252 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file This is due to a i am wondering about What is the location of that file? (find / -inum 436252) if it is "/etc/xinetd\.d/tftp" then it was created with a wrong type and it is mislabeled (is etc_t , should be tftpd_etc_t) cobbler is allowed the create /etc/xinetd\.d/tftp with the right type It seems someone or something else created it with a wrong type and now cobbler cannot write to it Do you know who/what created the file type=AVC msg=audit(1323448525.585:61353): avc: denied { write } for pid=3798 comm="cobblerd" name="cobbler" dev=dm-2 ino=733227 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir This is somehow mislabeled as well We should probably change this in cobbler.fc: # This should removable when cobbler package installs /var/www/cobbler/rendered /var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0) to /var/www/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) So that cobbler can manage content in this httpd_t is allowed to read cobbler_var_lib_t files (probably also needs to be able to manage it i guess we need a named file transition rule like so becuase i thing the rsync program runs in the user domain: allow { unconfined_t sysadm_t } ftpd_etc_t:file manage_file_perms; files_etc_filetrans({ unconfined_t sysadm_t }, tftpd_etc_t, file, "tftpd") that is instead : files_etc_filetrans({ unconfined_t sysadm_t }, tftpd_etc_t, file, "tftp") ofcourse Just a wild guess: isn't this an instance of issue caused by hardlinks? Hardlinks kill SELinux as based on different path you look at the same inode, it gets different label. The solution would be to patch cobbler to always copy, rather than hardlink (unless it already has an option to set that up). or maybe it is the init script running cobbler sync in the initrc domain and creating /etc/xinetd.d/tftp (probably this) sesearch -T -t etc_t -c file | grep tftp type_transition cobblerd_t etc_t : file tftpd_etc_t "tftp"; type_transition firstboot_t etc_t : file tftpd_etc_t "tftp"; type_transition openshift_initrc_t etc_t : file tftpd_etc_t "tftp"; type_transition rpm_script_t etc_t : file tftpd_etc_t "tftp"; type_transition unconfined_t etc_t : file tftpd_etc_t "tftp"; type_transition livecd_t etc_t : file tftpd_etc_t "tftp"; type_transition kernel_t etc_t : file tftpd_etc_t "tftp"; type_transition rpm_t etc_t : file tftpd_etc_t "tftp"; type_transition anaconda_t etc_t : file tftpd_etc_t "tftp"; type_transition sysadm_t etc_t : file tftpd_etc_t "tftp"; Fedora 18 has this, the problem is RHEL6 has no way of doing this. Yes, we are able to fix a lot of cobbler 2.2 issues but this will remain. I guess create a domain for cobbler sync and allow initrc_t, sysadm_t and unconfined_t to run cobbler sync with a domain transition then specify that cobbler_sync_t creates files in /etc directories with the tftp_etc_t file type. Hopefully that will be the only file it creates in /etc.* Else this wont work either Couldn't /etc/xinetd.d/tftp be a symlink to a directory where cobbler would be free to do any manipulations, and cobbler patched to regenerate file in that directory, rather than fiddling with the /etc/xinetd.d/tftp directly? |