1038767 – SELinux prevents access to /sbin/consoletype during cobbler sync

Bug 1038767 - SELinux prevents access to /sbin/consoletype during cobbler sync

Summary: SELinux prevents access to /sbin/consoletype during cobbler sync

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-05 19:18 UTC by Jonathan Underwood
Modified:	2014-01-02 22:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-02 22:53:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Strace of cobbler sync (378.69 KB, text/plain) 2013-12-05 19:25 UTC, Jonathan Underwood	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Jonathan Underwood 2013-12-05 19:18:35 UTC

Description of problem:
With SELinux enforcing, issuing a cobbler sync results in:

..snip...
running: service dhcpd restart
received on stdout: Shutting down dhcpd: [  OK  ]
Starting dhcpd: [  OK  ]

received on stderr: /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied
..snip..

Putting SELinux into permissive prevents this from happening.

Unfortunately nothing is reported in audit.log as far as I can tell.



Version-Release number of selected component (if applicable):
# rpm -qa | grep cobbler
cobbler-2.4.0-1.el6.noarch

# rpm -qa | grep selinux
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-195.el6_4.18.noarch
pki-selinux-9.0.3-30.el6.noarch


How reproducible:
Everytime

Steps to Reproduce:
1. run cobbler sync
2.
3.

Actual results:
received on stderr: /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied

Expected results:
No error

Additional info:

Comment 1 Jonathan Underwood 2013-12-05 19:25:38 UTC

Created attachment 833303 [details]
Strace of cobbler sync

strace -f -e write=1,2 cobbler sync 2>cobbler.strace output with SELinux in enforcing mode

Comment 2 Miroslav Grepl 2013-12-06 08:55:37 UTC

We would need to see AVC msgs.

Comment 3 Jonathan Underwood 2013-12-09 19:39:35 UTC

As I stated above, no AVC messages are seen in audit.log - this is why I attached the strace.

Comment 4 Miroslav Grepl 2013-12-10 07:56:56 UTC

Does it work in permissive mode?

Comment 5 Jonathan Underwood 2013-12-10 13:42:46 UTC

(In reply to Miroslav Grepl from comment #4)
> Does it work in permissive mode?

Yes, as I mentioned in the original report, switching to permissive (setenforce 0) makes everything work as it should, and the message "received on stderr: /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied" is not displayed.

Comment 6 Daniel Walsh 2013-12-11 21:58:21 UTC

Could you try with dontaudit rules off.

#semodule -DB
Generate the AVCs

Look for consoletype command and see if there are AVCs related.
#semodule -B

Will turn dontaudit rules back on.

Comment 7 Jonathan Underwood 2013-12-16 17:18:27 UTC

Hm. Unfortunately I can no longer reproduce the problem. I notice the system has recently updated to selinux-policy-targeted-3.7.19-231.el6.noarch, so perhaps that addressed the issue somehow. I'll close this and re-open it if I see it again.

Note You need to log in before you can comment on or make changes to this bug.