Description of problem: I found AVC messages in logfile audit.log during running command "cobbler sync" Version-Release number of selected component (if applicable): selinux-policy-3.13.1-23.el7.noarch redhat-release-server-7.1-1.el7.x86_64 How reproducible: always Steps to Reproduce: 1. cobbler sync Actual results: type=AVC msg=audit(1428588639.264:1220): avc: denied { write } for pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=71827855 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.264:1220): arch=c000003e syscall=86 success=yes exit=0 a0=7f902441b5f0 a1=7f90240a7ec0 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1428588639.266:1221): avc: denied { write } for pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=71827853 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.266:1221): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024424ba0 a1=7f902440a9c0 a2=7f904020cf88 a3=fffffff0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1428588639.267:1222): avc: denied { write } for pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=71827855 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.267:1222): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024141510 a1=7f9024282730 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1428588639.269:1223): avc: denied { write } for pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=71827853 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.269:1223): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024351710 a1=7f9024328350 a2=7f904020cf88 a3=fffff000 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1428588639.270:1224): avc: denied { write } for pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=72276917 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.270:1224): arch=c000003e syscall=86 success=yes exit=0 a0=7f90242fa320 a1=7f90240a7ec0 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1428588639.272:1225): avc: denied { write } for pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=72276915 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.272:1225): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024424ba0 a1=7f902440a9c0 a2=7f904020cf88 a3=fffffff0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1428588639.273:1226): avc: denied { write } for pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=72276917 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.273:1226): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024141510 a1=7f9024282730 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1428588639.275:1227): avc: denied { write } for pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=72276915 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428588639.275:1227): arch=c000003e syscall=86 success=yes exit=0 a0=7f902432b8a0 a1=7f9024328350 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null) Expected results: without message
Were the AVCs caught in permissive mode? Where are the initrd.img (inode=72276915) and vmlinuz (inode=72276917) files located?
# getenforce Enforcing # ls -lZ /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/ -rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img -rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz # cobbler sync task started: 2015-04-09_101038_sync task started (id=Sync, time=Thu Apr 9 10:10:38 2015) running pre-sync triggers cleaning trees removing: /var/www/cobbler/images/ks-rhel-x86_64-server-7-70 removing: /var/www/cobbler/images/ks-rhel-x86_64-server-7-71 removing: /var/lib/tftpboot/pxelinux.cfg/default removing: /var/lib/tftpboot/grub/images removing: /var/lib/tftpboot/grub/efidefault removing: /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70 removing: /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71 removing: /var/lib/tftpboot/s390x/profile_list copying bootloaders copying: /usr/share/syslinux/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0 copying: /usr/share/syslinux/menu.c32 -> /var/lib/tftpboot/menu.c32 copying: /usr/share/syslinux/memdisk -> /var/lib/tftpboot/memdisk copying distros copying files for distro: ks-rhel-x86_64-server-7-70 trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70/initrd.img trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/vmlinuz -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/initrd.img -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/initrd.img copying files for distro: ks-rhel-x86_64-server-7-71 trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71/initrd.img trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/vmlinuz -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-71/vmlinuz trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/initrd.img -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-71/initrd.img copying images generating PXE configuration files cleaning link caches generating PXE menu structure running post-sync triggers running python triggers from /var/lib/cobbler/triggers/sync/post/* running python trigger cobbler.modules.sync_post_restart_services running shell triggers from /var/lib/cobbler/triggers/sync/post/* running python triggers from /var/lib/cobbler/triggers/change/* running python trigger cobbler.modules.scm_track running shell triggers from /var/lib/cobbler/triggers/change/* *** TASK COMPLETE ***
I added message of run in Permissive mode # getenforce Permissive # cobbler sync ... # tail -f /var/log/audit/audit.log type=AVC msg=audit(1428668419.140:1156): avc: denied { write } for pid=20855 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=204302495 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file type=SYSCALL msg=audit(1428668419.140:1156): arch=c000003e syscall=86 success=yes exit=0 a0=7f1e3c39aef0 a1=7f1e3c07b3f0 a2=7f1e5875ff88 a3=fffffff0 items=0 ppid=1 pid=20855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of the affected component. As a starting point you can use policy provided by selinux-policy package. For more details about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.