Bug 837707
Summary: | Cobbler 2.2.3 doesn't work with SElinux in enforcing mode | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jonathan Underwood <jonathan.underwood> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | dwalsh, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-10-15 14:35:02 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jonathan Underwood
2012-07-04 22:42:33 UTC
# rpm -qa cobbler\* cobbler-web-2.2.3-2.el6.noarch cobbler-2.2.3-2.el6.noarch # rpm -qa selinux-policy\* selinux-policy-minimum-3.7.19-155.el6_3.noarch selinux-policy-doc-3.7.19-155.el6_3.noarch selinux-policy-mls-3.7.19-155.el6_3.noarch selinux-policy-3.7.19-155.el6_3.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch # service cobblerd restart Stopping cobbler daemon: [FAILED] Starting cobbler daemon: Traceback (most recent call last): File "/usr/bin/cobblerd", line 76, in main api = cobbler_api.BootAPI(is_cobblerd=True) File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 127, in __init__ module_loader.load_modules() File "/usr/lib/python2.6/site-packages/cobbler/module_loader.py", line 62, in load_modules blip = __import__("modules.%s" % ( modname), globals(), locals(), [modname]) File "/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py", line 53, in <module> from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast, pointer, sizeof File "/usr/lib/python2.6/ctypes/__init__.py", line 546, in <module> CFUNCTYPE(c_int)(lambda: None) MemoryError # ausearch -m avc -m user_avc -m selinux_err -ts recent -i ---- type=SYSCALL msg=audit(07/08/2012 09:07:06.343:85) : arch=i386 syscall=mmap2 success=no exit=-13(Permission denied) a0=0 a1=1000 a2=5 a3=1 items=0 ppid=10200 pid=10201 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(07/08/2012 09:07:06.343:85) : avc: denied { execute } for pid=10201 comm=cobblerd path=/tmp/fficICQMP (deleted) dev=sda3 ino=144515 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:cobbler_tmp_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/08/2012 09:07:06.347:86) : arch=i386 syscall=mmap2 success=no exit=-13(Permission denied) a0=0 a1=1000 a2=5 a3=1 items=0 ppid=10200 pid=10201 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(07/08/2012 09:07:06.347:86) : avc: denied { execute } for pid=10201 comm=cobblerd path=/var/tmp/ffioa2tU5 (deleted) dev=sda3 ino=303 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:cobbler_tmp_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/08/2012 09:07:06.348:87) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=bfe205a0 a1=c2 a2=180 a3=4ff34 items=0 ppid=10200 pid=10201 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(07/08/2012 09:07:06.348:87) : avc: denied { search } for pid=10201 comm=cobblerd name=/ dev=tmpfs ino=5539 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- # The problem is we have this new cobbler package in EPEL and we are working on a policy solution in Fedora. *** This bug has been marked as a duplicate of bug 837708 *** |