Bug 837708
Summary: | SElinux breaks cobbler pam support | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jonathan Underwood <jonathan.underwood> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | dwalsh, jpazdziora, mmalik, parsonsa |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-10-15 14:36:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jonathan Underwood
2012-07-04 22:48:30 UTC
Also discussed in this thread (and present in RHEL 6.3): http://www.mail-archive.com/cobbler@lists.fedorahosted.org/msg07652.html OK some more info - I issued a semodule -DB and then tried to start the cobblerd service, and the following appears in audit.log: [root@cobain ~]# tail -n 0 -f /var/log/audit/audit.log type=AVC msg=audit(1341442893.581:49939): avc: denied { search } for pid=1496 7 comm="cobblerd" name="root" dev=sda3 ino=4980737 scontext=unconfined_u:system_ r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=SYSCALL msg=audit(1341442893.581:49939): arch=c000003e syscall=4 success=no exit=-13 a0=b4a0a0 a1=7fff138ce520 a2=7fff138ce520 a3=7fff138ce2a0 items=0 ppid =14966 pid=14967 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system _r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1341442893.941:49940): avc: denied { execute } for pid=149 70 comm="sh" name="ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:system_ r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1341442893.941:49940): arch=c000003e syscall=59 success=n o exit=-13 a0=1ddedf0 a1=1dddc40 a2=1ddf1e0 a3=18 items=0 ppid=14969 pid=14970 a uid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1341442893.941:49941): avc: denied { getattr } for pid=149 70 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1341442893.941:49941): arch=c000003e syscall=4 success=no exit=-13 a0=1ddedf0 a1=7ffffb4d95f0 a2=7ffffb4d95f0 a3=18 items=0 ppid=14969 pi type=SYSCALL msg=audit(1341442893.941:49941): arch=c000003e syscall=4 su[15/186] exit=-13 a0=1ddedf0 a1=7ffffb4d95f0 a2=7ffffb4d95f0 a3=18 items=0 ppid=14969 pi d=14970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key= (null) type=AVC msg=audit(1341442893.941:49942): avc: denied { getattr } for pid=149 70 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1341442893.941:49942): arch=c000003e syscall=4 success=no exit=-13 a0=1ddedf0 a1=7ffffb4d95d0 a2=7ffffb4d95d0 a3=18 items=0 ppid=14969 pi d=14970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key= (null) type=AVC msg=audit(1341442893.952:49943): avc: denied { execute } for pid=149 73 comm="sh" name="ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:system_ r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1341442893.952:49943): arch=c000003e syscall=59 success=n o exit=-13 a0=22fddf0 a1=22fcc40 a2=22fe1e0 a3=18 items=0 ppid=14972 pid=14973 a uid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1341442893.952:49944): avc: denied { getattr } for pid=149 73 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file[0/186] type=SYSCALL msg=audit(1341442893.952:49943): arch=c000003e syscall=59 success=n o exit=-13 a0=22fddf0 a1=22fcc40 a2=22fe1e0 a3=18 items=0 ppid=14972 pid=14973 a uid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1341442893.952:49944): avc: denied { getattr } for pid=149 73 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1341442893.952:49944): arch=c000003e syscall=4 success=no exit=-13 a0=22fddf0 a1=7fffc40d8340 a2=7fffc40d8340 a3=18 items=0 ppid=14972 pi d=14973 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key= (null) type=AVC msg=audit(1341442893.952:49945): avc: denied { getattr } for pid=149 73 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1341442893.952:49945): arch=c000003e syscall=4 success=no exit=-13 a0=22fddf0 a1=7fffc40d8320 a2=7fffc40d8320 a3=18 items=0 ppid=14972 pi d=14973 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key= (null) Processing the denials through audit2allow, it seems (in addition to the policy module in BZ 837707), cobbler also requires this policy: module cobblernew 1.0; require { type admin_home_t; type ldconfig_exec_t; type cobblerd_t; class file { execute getattr }; class dir search; } #============= cobblerd_t ============== allow cobblerd_t admin_home_t:dir search; allow cobblerd_t ldconfig_exec_t:file { execute getattr }; This seems to be caused by the cobbler libpam wrapper which uses ctypes. ... however, this still is not sufficient to allow cobblerd to start successfully. OK, after many iterations of audit2allow, I finally arrived at this policy module which allows cobblerd to successfully start: module cobblerlocal 1.0; require { type cobbler_tmp_t; type tmpfs_t; type cobblerd_t; type admin_home_t; type ldconfig_exec_t; type cobblerd_t; class dir search; class file execute; class file { execute getattr }; class file { read open }; class file execute_no_trans; } #============= cobblerd_t ============== allow cobblerd_t cobbler_tmp_t:file execute; allow cobblerd_t tmpfs_t:dir search; allow cobblerd_t admin_home_t:dir search; allow cobblerd_t ldconfig_exec_t:file { execute getattr }; allow cobblerd_t ldconfig_exec_t:file { read open }; allow cobblerd_t ldconfig_exec_t:file execute_no_trans; [This includes the stuff from BZ 837707] However, at this point cobbler isn't actually functioning properly with SELinux in enforcing mode! More investigation needed. More iteratinos later and I have a policy module with which cobbler appears to be functioning properly (so far): odule cobblerlocal 1.0; require { type cobbler_tmp_t; type tmpfs_t; type cobblerd_t; type admin_home_t; type ldconfig_exec_t; type cobblerd_t; type httpd_sys_content_t; class dir search; class file execute; class file getattr; class file { execute getattr }; class file { read open }; class file execute_no_trans; } #============= cobblerd_t ============== allow cobblerd_t cobbler_tmp_t:file execute; allow cobblerd_t tmpfs_t:dir search; allow cobblerd_t admin_home_t:dir search; allow cobblerd_t ldconfig_exec_t:file { execute getattr }; allow cobblerd_t ldconfig_exec_t:file { read open }; allow cobblerd_t ldconfig_exec_t:file execute_no_trans; allow cobblerd_t httpd_sys_content_t:file getattr; Further iterations... module cobblerlocal 1.0; require { type cobbler_tmp_t; type tmpfs_t; type cobblerd_t; type admin_home_t; type ldconfig_exec_t; type cobblerd_t; type httpd_sys_content_t; type etc_t; type dhcpd_t; type consoletype_exec_t; type initrc_t; class dir search; class file execute; class file getattr; class file { execute getattr }; class file { read open }; class file { read write link }; class file { execute unlink getattr }; class file execute_no_trans; class process { siginh noatsecure rlimitinh }; } #============= cobblerd_t ============== allow cobblerd_t cobbler_tmp_t:file execute; allow cobblerd_t tmpfs_t:dir search; allow cobblerd_t admin_home_t:dir search; allow cobblerd_t ldconfig_exec_t:file { execute getattr }; allow cobblerd_t ldconfig_exec_t:file { read open }; allow cobblerd_t ldconfig_exec_t:file execute_no_trans; allow cobblerd_t httpd_sys_content_t:file getattr; allow cobblerd_t etc_t:file write; allow cobblerd_t httpd_sys_content_t:file { read link }; allow cobblerd_t consoletype_exec_t:file { execute getattr read open }; allow cobblerd_t dhcpd_t:process { siginh rlimitinh noatsecure }; allow cobblerd_t httpd_sys_content_t:file unlink; allow cobblerd_t initrc_t:process { siginh rlimitinh noatsecure }; allow cobblerd_t consoletype_exec_t:file execute_no_trans; Yet more needed: module cobblerlocal 1.0; require { type cobbler_tmp_t; type tmpfs_t; type cobblerd_t; type admin_home_t; type ldconfig_exec_t; type cobblerd_t; type httpd_sys_content_t; type etc_t; type dhcpd_t; type tftpd_t; type consoletype_exec_t; type initrc_t; type semanage_t; type setfiles_t; type sysstat_t; class dir search; class file execute; class file getattr; class file { execute getattr }; class file { read open }; class file { read write link }; class file { execute unlink getattr }; class file execute_no_trans; class process { siginh noatsecure rlimitinh }; class dir { getattr search }; } #============= cobblerd_t ============== allow cobblerd_t cobbler_tmp_t:file execute; allow cobblerd_t tmpfs_t:dir search; allow cobblerd_t admin_home_t:dir search; allow cobblerd_t ldconfig_exec_t:file { execute getattr }; allow cobblerd_t ldconfig_exec_t:file { read open }; allow cobblerd_t ldconfig_exec_t:file execute_no_trans; allow cobblerd_t httpd_sys_content_t:file getattr; allow cobblerd_t etc_t:file write; allow cobblerd_t httpd_sys_content_t:file { read link }; allow cobblerd_t consoletype_exec_t:file { execute getattr read open }; allow cobblerd_t dhcpd_t:process { siginh rlimitinh noatsecure }; allow cobblerd_t httpd_sys_content_t:file unlink; allow cobblerd_t initrc_t:process { siginh rlimitinh noatsecure }; allow cobblerd_t consoletype_exec_t:file execute_no_trans; allow tftpd_t httpd_sys_content_t:file read; allow tftpd_t httpd_sys_content_t:file { getattr open }; allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure }; allow sysstat_t admin_home_t:dir { getattr search }; It's possible that the following are also required, but I'm not 100% sure that this is related to cobbler since in my configuration I've turned email notification off in the cobbler settings file. Nonetheless, AVCs are appearing in audit.log related to postfix (though could be caused by some other process). require { type postfix_postdrop_t; type postfix_pickup_t; type system_mail_t; type postfix_master_t; type postfix_bounce_t; class process { siginh noatsecure rlimitinh }; } #============= postfix_master_t ============== allow postfix_master_t postfix_bounce_t:process { siginh rlimitinh noatsecure }; allow postfix_master_t postfix_pickup_t:process { siginh rlimitinh noatsecure }; #============= system_mail_t ============== allow system_mail_t postfix_postdrop_t:process { siginh rlimitinh noatsecure }; The best way how to fix it for now is using # cat mycobbler policy_module(mycobbler,1.0) require{ cobblerd_t; } optional_policy(` unconfined_domain(cobblerd_t) ') and execute # make -f /usr/share/selinux/devel/Makefile mycobbler.pp # semodule -i mycobbler.pp *** Bug 837707 has been marked as a duplicate of this bug. *** *** This bug has been marked as a duplicate of bug 816309 *** Miroslav, this is not a dupe of 816309 -- that one is actually dupe of bug 816835 and was about /var/www/cobbler/images missing in the rpm. This one is something completely different that needs to be investigated (or policy pieces as presented above used directly). |