Bug 837708

Summary:	SElinux breaks cobbler pam support
Product:	Red Hat Enterprise Linux 6	Reporter:	Jonathan Underwood <jonathan.underwood>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED DUPLICATE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.2	CC:	dwalsh, jpazdziora, mmalik, parsonsa
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-10-15 14:36:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jonathan Underwood 2012-07-04 22:48:30 UTC

Description of problem:
SElinux in enforcing mode prevents cobblerd from starting (once the selinux policy module in BZ 837707 has been loaded):

# service cobblerd start
Starting cobbler daemon: Traceback (most recent call last):
  File "/usr/bin/cobblerd", line 76, in main
    api = cobbler_api.BootAPI(is_cobblerd=True)
  File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 127, in __init__
    module_loader.load_modules()
  File "/usr/lib/python2.6/site-packages/cobbler/module_loader.py", line 62, in load_modules
    blip =  __import__("modules.%s" % ( modname), globals(), locals(), [modname])
  File "/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py", line 121, in <module>
    PAM_START = LIBPAM.pam_start
  File "/usr/lib64/python2.6/ctypes/__init__.py", line 366, in __getattr__
    func = self.__getitem__(name)
  File "/usr/lib64/python2.6/ctypes/__init__.py", line 371, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /usr/bin/python: undefined symbol: pam_start


Strangely, nothing appears in audit.log. However, after doing a setenforce 0, cobblerd will successfully start, so SELinux is implicated somehow.


Version-Release number of selected component (if applicable):
cobbler-2.2.3-2.el6.noarch
selinux-policy-3.7.19-126.el6_2.10.noarch
selinux-policy-targeted-3.7.19-126.el6_2.10.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Add the selinux module from bz 837707
2. Try to start the cobblerd service with SElinux in enforcing mode
3.
  
Actual results:


Expected results:


Additional info:

Comment 2 Jonathan Underwood 2012-07-04 22:54:54 UTC

Also discussed in this thread (and present in RHEL 6.3):

http://www.mail-archive.com/cobbler@lists.fedorahosted.org/msg07652.html

Comment 3 Jonathan Underwood 2012-07-04 23:06:26 UTC

OK some more info - I issued a semodule -DB and then tried to start the cobblerd service, and the following appears in audit.log:


[root@cobain ~]# tail -n 0 -f /var/log/audit/audit.log
type=AVC msg=audit(1341442893.581:49939): avc:  denied  { search } for  pid=1496
7 comm="cobblerd" name="root" dev=sda3 ino=4980737 scontext=unconfined_u:system_
r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1341442893.581:49939): arch=c000003e syscall=4 success=no
 exit=-13 a0=b4a0a0 a1=7fff138ce520 a2=7fff138ce520 a3=7fff138ce2a0 items=0 ppid
=14966 pid=14967 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts2 ses=1356 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system
_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1341442893.941:49940): avc:  denied  { execute } for  pid=149
70 comm="sh" name="ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:system_
r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341442893.941:49940): arch=c000003e syscall=59 success=n
o exit=-13 a0=1ddedf0 a1=1dddc40 a2=1ddf1e0 a3=18 items=0 ppid=14969 pid=14970 a
uid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 
comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1341442893.941:49941): avc:  denied  { getattr } for  pid=149
70 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s
ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341442893.941:49941): arch=c000003e syscall=4 success=no
 exit=-13 a0=1ddedf0 a1=7ffffb4d95f0 a2=7ffffb4d95f0 a3=18 items=0 ppid=14969 pi
type=SYSCALL msg=audit(1341442893.941:49941): arch=c000003e syscall=4 su[15/186]
 exit=-13 a0=1ddedf0 a1=7ffffb4d95f0 a2=7ffffb4d95f0 a3=18 items=0 ppid=14969 pi
d=14970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 
ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=
(null)
type=AVC msg=audit(1341442893.941:49942): avc:  denied  { getattr } for  pid=149
70 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s
ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341442893.941:49942): arch=c000003e syscall=4 success=no
 exit=-13 a0=1ddedf0 a1=7ffffb4d95d0 a2=7ffffb4d95d0 a3=18 items=0 ppid=14969 pi
d=14970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 
ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=
(null)
type=AVC msg=audit(1341442893.952:49943): avc:  denied  { execute } for  pid=149
73 comm="sh" name="ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:system_
r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341442893.952:49943): arch=c000003e syscall=59 success=n
o exit=-13 a0=22fddf0 a1=22fcc40 a2=22fe1e0 a3=18 items=0 ppid=14972 pid=14973 a
uid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 
comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1341442893.952:49944): avc:  denied  { getattr } for  pid=149
73 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s
ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file[0/186]
type=SYSCALL msg=audit(1341442893.952:49943): arch=c000003e syscall=59 success=n
o exit=-13 a0=22fddf0 a1=22fcc40 a2=22fe1e0 a3=18 items=0 ppid=14972 pid=14973 a
uid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1356 
comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1341442893.952:49944): avc:  denied  { getattr } for  pid=149
73 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s
ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341442893.952:49944): arch=c000003e syscall=4 success=no
 exit=-13 a0=22fddf0 a1=7fffc40d8340 a2=7fffc40d8340 a3=18 items=0 ppid=14972 pi
d=14973 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 
ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=
(null)
type=AVC msg=audit(1341442893.952:49945): avc:  denied  { getattr } for  pid=149
73 comm="sh" path="/sbin/ldconfig" dev=sda3 ino=42205249 scontext=unconfined_u:s
ystem_r:cobblerd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341442893.952:49945): arch=c000003e syscall=4 success=no
 exit=-13 a0=22fddf0 a1=7fffc40d8320 a2=7fffc40d8320 a3=18 items=0 ppid=14972 pi
d=14973 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 
ses=1356 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:cobblerd_t:s0 key=
(null)

Comment 4 Jonathan Underwood 2012-07-04 23:22:31 UTC

Processing the denials through audit2allow, it seems (in addition to the policy module in BZ 837707), cobbler also requires this policy:

module cobblernew 1.0;

require {
        type admin_home_t;
        type ldconfig_exec_t;
        type cobblerd_t;
        class file { execute getattr };
        class dir search;
}

#============= cobblerd_t ==============
allow cobblerd_t admin_home_t:dir search;
allow cobblerd_t ldconfig_exec_t:file { execute getattr };



This seems to be caused by the cobbler libpam wrapper which uses ctypes.

Comment 5 Jonathan Underwood 2012-07-04 23:44:10 UTC

... however, this still is not sufficient to allow cobblerd to start successfully.

Comment 6 Jonathan Underwood 2012-07-04 23:59:55 UTC

OK, after many iterations of audit2allow, I finally arrived at this policy module which allows cobblerd to successfully start:

module cobblerlocal 1.0;

require {
        type cobbler_tmp_t;
        type tmpfs_t;
        type cobblerd_t;
        type admin_home_t;
        type ldconfig_exec_t;
        type cobblerd_t;
        class dir search;
        class file execute;
        class file { execute getattr };
        class file { read open };
        class file execute_no_trans;
}

#============= cobblerd_t ==============
allow cobblerd_t cobbler_tmp_t:file execute;
allow cobblerd_t tmpfs_t:dir search;
allow cobblerd_t admin_home_t:dir search;
allow cobblerd_t ldconfig_exec_t:file { execute getattr };
allow cobblerd_t ldconfig_exec_t:file { read open };
allow cobblerd_t ldconfig_exec_t:file execute_no_trans;



[This includes the stuff from BZ 837707]

Comment 7 Jonathan Underwood 2012-07-05 00:06:30 UTC

However, at this point cobbler isn't actually functioning properly with SELinux in enforcing mode! More investigation needed.

Comment 8 Jonathan Underwood 2012-07-05 09:54:32 UTC

More iteratinos later and I have a policy module with which cobbler appears to be functioning properly (so far):

odule cobblerlocal 1.0;

require {
        type cobbler_tmp_t;
        type tmpfs_t;
        type cobblerd_t;
        type admin_home_t;
        type ldconfig_exec_t;
        type cobblerd_t;
        type httpd_sys_content_t;
        class dir search;
        class file execute;
        class file getattr;
        class file { execute getattr };
        class file { read open };
        class file execute_no_trans;
}

#============= cobblerd_t ==============
allow cobblerd_t cobbler_tmp_t:file execute;
allow cobblerd_t tmpfs_t:dir search;
allow cobblerd_t admin_home_t:dir search;
allow cobblerd_t ldconfig_exec_t:file { execute getattr };
allow cobblerd_t ldconfig_exec_t:file { read open };
allow cobblerd_t ldconfig_exec_t:file execute_no_trans;
allow cobblerd_t httpd_sys_content_t:file getattr;

Comment 9 Jonathan Underwood 2012-07-05 10:19:41 UTC

Further iterations...


module cobblerlocal 1.0;

require {
        type cobbler_tmp_t;
        type tmpfs_t;
        type cobblerd_t;
        type admin_home_t;
        type ldconfig_exec_t;
        type cobblerd_t;
        type httpd_sys_content_t;
        type etc_t;
        type dhcpd_t;
        type consoletype_exec_t;
        type initrc_t;
        class dir search;
        class file execute;
        class file getattr;
        class file { execute getattr };
        class file { read open };
        class file { read write link };
        class file { execute unlink getattr };
        class file execute_no_trans;
        class process { siginh noatsecure rlimitinh };
}

#============= cobblerd_t ==============
allow cobblerd_t cobbler_tmp_t:file execute;
allow cobblerd_t tmpfs_t:dir search;
allow cobblerd_t admin_home_t:dir search;
allow cobblerd_t ldconfig_exec_t:file { execute getattr };
allow cobblerd_t ldconfig_exec_t:file { read open };
allow cobblerd_t ldconfig_exec_t:file execute_no_trans;
allow cobblerd_t httpd_sys_content_t:file getattr;
allow cobblerd_t etc_t:file write;
allow cobblerd_t httpd_sys_content_t:file { read link };
allow cobblerd_t consoletype_exec_t:file { execute getattr read open };
allow cobblerd_t dhcpd_t:process { siginh rlimitinh noatsecure };
allow cobblerd_t httpd_sys_content_t:file unlink;
allow cobblerd_t initrc_t:process { siginh rlimitinh noatsecure };
allow cobblerd_t consoletype_exec_t:file execute_no_trans;

Comment 10 Jonathan Underwood 2012-07-05 13:04:34 UTC

Yet more needed:


module cobblerlocal 1.0;

require {
        type cobbler_tmp_t;
        type tmpfs_t;
        type cobblerd_t;
        type admin_home_t;
        type ldconfig_exec_t;
        type cobblerd_t;
        type httpd_sys_content_t;
        type etc_t;
        type dhcpd_t;
        type tftpd_t;
        type consoletype_exec_t;
        type initrc_t;
        type semanage_t;
        type setfiles_t;
        type sysstat_t;
        class dir search;
        class file execute;
        class file getattr;
        class file { execute getattr };
        class file { read open };
        class file { read write link };
        class file { execute unlink getattr };
        class file execute_no_trans;
        class process { siginh noatsecure rlimitinh };
        class dir { getattr search };
}

#============= cobblerd_t ==============
allow cobblerd_t cobbler_tmp_t:file execute;
allow cobblerd_t tmpfs_t:dir search;
allow cobblerd_t admin_home_t:dir search;
allow cobblerd_t ldconfig_exec_t:file { execute getattr };
allow cobblerd_t ldconfig_exec_t:file { read open };
allow cobblerd_t ldconfig_exec_t:file execute_no_trans;
allow cobblerd_t httpd_sys_content_t:file getattr;
allow cobblerd_t etc_t:file write;
allow cobblerd_t httpd_sys_content_t:file { read link };
allow cobblerd_t consoletype_exec_t:file { execute getattr read open };
allow cobblerd_t dhcpd_t:process { siginh rlimitinh noatsecure };
allow cobblerd_t httpd_sys_content_t:file unlink;
allow cobblerd_t initrc_t:process { siginh rlimitinh noatsecure };
allow cobblerd_t consoletype_exec_t:file execute_no_trans;
allow tftpd_t httpd_sys_content_t:file read;
allow tftpd_t httpd_sys_content_t:file { getattr open };
allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure };
allow sysstat_t admin_home_t:dir { getattr search };

Comment 11 Jonathan Underwood 2012-07-05 13:23:22 UTC

It's possible that the following are also required, but I'm not 100% sure that this is related to cobbler since in my configuration I've turned email notification off in the cobbler settings file. Nonetheless, AVCs are appearing in audit.log related to postfix (though could be caused by some other process).

require {
        type postfix_postdrop_t;
        type postfix_pickup_t;
        type system_mail_t;
        type postfix_master_t;
        type postfix_bounce_t;
        class process { siginh noatsecure rlimitinh };
}

#============= postfix_master_t ==============
allow postfix_master_t postfix_bounce_t:process { siginh rlimitinh noatsecure };
allow postfix_master_t postfix_pickup_t:process { siginh rlimitinh noatsecure };

#============= system_mail_t ==============
allow system_mail_t postfix_postdrop_t:process { siginh rlimitinh noatsecure };

Comment 12 Miroslav Grepl 2012-07-09 08:30:00 UTC

The best way how to fix it for now is using

# cat mycobbler
policy_module(mycobbler,1.0)

require{
 cobblerd_t;
}

optional_policy(`
 unconfined_domain(cobblerd_t)
')


and execute

# make -f /usr/share/selinux/devel/Makefile mycobbler.pp
# semodule -i mycobbler.pp

Comment 13 Miroslav Grepl 2012-10-15 14:35:02 UTC

*** Bug 837707 has been marked as a duplicate of this bug. ***

Comment 14 Miroslav Grepl 2012-10-15 14:36:11 UTC


*** This bug has been marked as a duplicate of bug 816309 ***

Comment 15 Jan Pazdziora 2012-10-15 15:03:49 UTC

Miroslav, this is not a dupe of 816309 -- that one is actually dupe of bug 816835 and was about /var/www/cobbler/images missing in the rpm.

This one is something completely different that needs to be investigated (or policy pieces as presented above used directly).