Bug 978601

Summary: "type=AVC msg=audit(...): avc: denied { create } for pid=... comm="cobblerd" name="buildiso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir" when running `cobbler buildiso`
Product: Red Hat Satellite 5 Reporter: Jan Hutař <jhutar>
Component: ProvisioningAssignee: Stephen Herr <sherr>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Hutař <jhutar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: cperry, rjerrido
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cobbler-2.0.7-33-sat Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-01 21:39:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 506485, 924171, 924190    
Attachments:
Description Flags
Proposed patch to /usr/lib/python2.6/site-packages/cobbler/cli.py none

Description Jan Hutař 2013-06-26 22:22:04 UTC 
[This was initially discovered by Cliff]

Description of problem:
Running `cobbler buildiso` generates AVC error.


Version-Release number of selected component (if applicable):
cobbler-2.0.7-29.el6sat.noarch


How reproducible:
always


Steps to Reproduce:
1. # sestatus   # make sure you are in enforcing
2. # cobbler buildiso


Actual results:
# cobbler buildiso
task started: 2013-06-26_181250_buildiso
task started (id=Build Iso, time=Wed Jun 26 18:12:50 2013)
using/creating tempdir: /buildiso
Exception occured: <type 'exceptions.OSError'>
Exception value: [Errno 13] Permission denied: '/buildiso'
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 95, in run
    rc = self._run(self)
   File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 156, in runner
    self.options.get("force_server",None)
   File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 756, in build_iso
    iso=iso, profiles=profiles, systems=systems, tempdir=tempdir, distro=distro, standalone=standalone, source=source, exclude_dns=exclude_dns, force_server=force_server
   File "/usr/lib/python2.6/site-packages/cobbler/action_buildiso.py", line 402, in run
    os.makedirs(tempdir)
   File "/usr/lib64/python2.6/os.py", line 157, in makedirs
    mkdir(name, mode)

!!! TASK FAILED !!!


Expected results:
Should work.


Additional info:
Generated AVC is like this:
type=AVC msg=audit(1372284771.863:671): avc:  denied  { create } for  pid=13707 comm="cobblerd" name="buildiso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1372284771.863:671): arch=c000003e syscall=83 success=no exit=-13 a0=7fbe70013b80 a1=1ff a2=3ade5a09e8 a3=7fbe784ddb18 items=0 ppid=1 pid=13707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null)

When the system is set to Permissive, `cobbler buildiso` PASSes, and these AVCs are generated:
type=AVC msg=audit(1372284840.697:673): avc:  denied  { create } for  pid=13728 comm="cobblerd" name="buildiso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1372284840.697:673): arch=c000003e syscall=83 success=yes exit=0 a0=7fbe68004c10 a1=1ff a2=3ade5a09e8 a3=7fbe778d6b18 items=0 ppid=1 pid=13728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1372284840.797:674): avc:  denied  { write } for  pid=13737 comm="mkisofs" name="root" dev=dm-0 ino=655361 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1372284840.797:674): avc:  denied  { add_name } for  pid=13737 comm="mkisofs" name="generated.iso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1372284840.797:674): avc:  denied  { create } for  pid=13737 comm="mkisofs" name="generated.iso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1372284840.797:674): avc:  denied  { write open } for  pid=13737 comm="mkisofs" name="generated.iso" dev=dm-0 ino=656786 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1372284840.797:674): arch=c000003e syscall=2 success=yes exit=13 a0=7fffa518de61 a1=241 a2=1b6 a3=0 items=0 ppid=6779 pid=13737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkisofs" exe="/usr/bin/genisoimage" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1372284840.804:675): avc:  denied  { getattr } for  pid=13737 comm="mkisofs" path="/root/generated.iso" dev=dm-0 ino=656786 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1372284840.804:675): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fffa5186620 a2=7fffa5186620 a3=7fffa51864f0 items=0 ppid=6779 pid=13737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkisofs" exe="/usr/bin/genisoimage" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=MAC_STATUS msg=audit(1372284848.093:676): enforcing=1 old_enforcing=0 auid=0 ses=100
type=SYSCALL msg=audit(1372284848.093:676): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffbaf4e380 a2=1 a3=0 items=0 ppid=13520 pid=13738 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=100 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

BTW running `cobbler buildiso --iso=/tmp/aaa.iso` did not helped.
Comment 1 Rich Jerrido 2013-07-08 21:51:24 UTC 
I've run into this bug as well. What is happening is that since cobblerd is a confined daemon, it can only write to where the SELinux policy allows it. You can work around this using the --tempdir & --iso switches to redirect cobbler to use a directory that it can write to. (after creating it)

I've worked around this using the following workflow. 

Find a file context that cobblerd can write to:

# sesearch -A -s cobblerd_t -c file  | grep write

Select a file type from that output. I used 'cobbler_tmp_t' as it seemed most fitting. Create a directory and update the SELinux policy with the correct file context.
 
# semanage fcontext -a -t cobbler_tmp_t "/srv/cobbler(/.*)?"
# mkdir /srv/cobbler/tempdir
# restorecon -Rv /srv/cobbler

run cobbler

# cobbler buildiso --tempdir /srv/cobbler/tempdir/ --iso /srv/cobbler/generated.iso
Comment 2 Rich Jerrido 2013-07-08 22:03:39 UTC 
Created attachment 770693 [details]
Proposed patch to /usr/lib/python2.6/site-packages/cobbler/cli.py

The attached patch is an update to /usr/lib/python2.6/site-packages/cobbler/cli.py. It sets an explicit default location for the generated iso (the --iso paramater) and the temporary directory (the --tempdir paramater). It is assumed that the cobbler installation will create those directories (maybe in the %post section of the RPM install) with the correct SELinux contexts.
Comment 3 Stephen Herr 2013-07-11 20:45:40 UTC 
Thanks for the patch and explanation Rich, that was very helpful. I would rather not require policycoreutils-python in order to get the semanage tool so I think I'll just default the tempdir to /tmp/cobbler/buildiso instead. There were also a couple of references to the cwd on the server-side code that needed to be replaced. So I'm going to do things a little differently, but the same basic idea.
Comment 6 Clifford Perry 2013-10-01 21:39:35 UTC 
Satellite 5.6 has been released. This bug was tracked under the release.  

This bug was either VERIFIED or RELEASE_PENDING (re-verified prior shortly
before release). 

Moving to CLOSED CURRENT_RELEASE. 

Text from Upgrade Erratum follows:

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1395.html