Bug 1006761 - SELinux prevent cobbler import
SELinux prevent cobbler import
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-11 05:05 EDT by Jens Kleineheismann
Modified: 2013-09-29 20:35 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.8.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-29 20:35:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Snippet of the audit.log (582 bytes, text/plain)
2013-09-11 05:05 EDT, Jens Kleineheismann
no flags Details
Output of ausearch -m avc -ts recent (5.06 KB, text/plain)
2013-09-17 04:20 EDT, Jens Kleineheismann
no flags Details

  None (edit)
Description Jens Kleineheismann 2013-09-11 05:05:10 EDT
Created attachment 796299 [details]
Snippet of the audit.log

Description of problem:
cobbler import fail while causing an AVC.

Since the inoperable cobbler import command is shown in the Fedora Installation Guide, Chapter 13 'Setting Up an Installation Server' I will assign HIGH severity.


Version-Release number of selected component (if applicable):
- Fedora 19
- selinux-policy-3.12.1-74.1
- cobbler-2.4.0-1
- rsync-3.0.9-8

How reproducible:
everytime


Steps to Reproduce:
# getenforce
Enforcing
# mkdir /mnt/dvd
# mount -o loop Fedora-19-x86_64-DVD.iso /mnt/dvd
# cobbler import --name=f19 --path=/mnt/dvd

Actual results:
----- 8< -----
task started: 2013-09-11_103319_import
task started (id=Media import, time=Wed Sep 11 10:33:19 2013)
Exception occured: <class 'cobbler.cexceptions.CX'>
Exception value: 'Command failed'
Exception Info:
  File "/usr/lib/python2.7/site-packages/cobbler/remote.py", line 89, in run
    rc = self._run(self)
   File "/usr/lib/python2.7/site-packages/cobbler/remote.py", line 232, in runner
    self.logger
   File "/usr/lib/python2.7/site-packages/cobbler/api.py", line 879, in import_tree
    utils.run_this(rsync_cmd, (spacer, mirror_url, path), self.logger)
   File "/usr/lib/python2.7/site-packages/cobbler/utils.py", line 920, in run_this
    die(logger,"Command failed")
   File "/usr/lib/python2.7/site-packages/cobbler/utils.py", line 137, in die
    raise CX(msg)

!!! TASK FAILED !!!
----- >8 -----

auditd logs an AVC:
----- 8< -----
type=AVC msg=audit(1378888400.788:534): avc:  denied  { getattr } for  pid=21988 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=400408 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file
----- >8 -----

in /var/log/cobbler/cobbler.log you will find:
----- 8< -----
Wed Sep 11 10:33:19 2013 - DEBUG | REMOTE CLI Authorized; user(?)
Wed Sep 11 10:33:19 2013 - INFO | REMOTE start_task(Media import); event_id(2013-09-11_103319_import); user(?)
Wed Sep 11 10:33:20 2013 - INFO | import_tree; ['/mnt/dvd', 'f19', None, None, None]
Wed Sep 11 10:33:20 2013 - INFO | importing from a network location, running rsync to fetch the files first
Wed Sep 11 10:33:20 2013 - INFO | running: rsync -a  '/mnt/dvd/' /var/www/cobbler/ks_mirror/f19 --progress
Wed Sep 11 10:33:20 2013 - INFO | received on stdout: 
Wed Sep 11 10:33:20 2013 - DEBUG | received on stderr: /bin/sh: rsync: command not found

Wed Sep 11 10:33:20 2013 - INFO | Exception occured: <class 'cobbler.cexceptions.CX'>
Wed Sep 11 10:33:20 2013 - INFO | Exception value: 'Command failed'
Wed Sep 11 10:33:20 2013 - INFO | Exception Info:
  File "/usr/lib/python2.7/site-packages/cobbler/utils.py", line 129, in die
    raise CX(msg)
----- >8 -----


Expected results:
cobbler should not fail. I expect it to mirror the content of /mnt/dvd to /var/www/cobbler/ks_mirror/f19 via rsync at least.

Additional info:
# getsebool -a | grep -E '(cobbler|rsync)'
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
httpd_can_network_connect_cobbler --> off
httpd_serve_cobbler_files --> off
postgresql_can_rsync --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_full_access --> off

# ls -dZ /mnt/dvd
drwxrwsr-x. root 101737 system_u:object_r:iso9660_t:s0   /mnt/dvd/
# ls -dZ /var/www/cobbler/ks_mirror
drwxr-xr-x. root root system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/ks_mirror/
Comment 1 Miroslav Grepl 2013-09-16 10:51:25 EDT
Could you please to re-test it in permissive mode or you can run

# semanage permissive -a cobblerd_t

re-test

# ausearch -m avc -ts recent

Thank you.
Comment 2 Jens Kleineheismann 2013-09-17 04:20:59 EDT
Created attachment 798662 [details]
Output of ausearch -m avc -ts recent
Comment 3 Jens Kleineheismann 2013-09-17 04:23:04 EDT
With permissive mode for cobblerd the task succeed.
Please see 798662 attachment for ausearch output.

Greetings,
  Jens
Comment 4 Daniel Walsh 2013-09-19 15:12:28 EDT
3422057ec411c299c8b59df75d2fafa4015748a7 fixes this in git.
Comment 5 Lukas Vrabec 2013-09-20 03:49:21 EDT
back ported.
Comment 6 Fedora Update System 2013-09-26 05:43:07 EDT
selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19
Comment 7 Fedora Update System 2013-09-26 20:48:03 EDT
Package selinux-policy-3.12.1-74.8.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-09-29 20:35:32 EDT
selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.