Bug 1210366 - command "cobbler sync" produces AVC message
Summary: command "cobbler sync" produces AVC message
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cobbler
Version: epel7
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-09 14:14 UTC by Pavel Studeník
Modified: 2019-04-30 21:40 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Pavel Studeník 2015-04-09 14:14:49 UTC 
Description of problem:
I found AVC messages in logfile audit.log during running command "cobbler sync"

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-23.el7.noarch
redhat-release-server-7.1-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. cobbler sync

Actual results:
type=AVC msg=audit(1428588639.264:1220): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=71827855 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.264:1220): arch=c000003e syscall=86 success=yes exit=0 a0=7f902441b5f0 a1=7f90240a7ec0 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1428588639.266:1221): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=71827853 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.266:1221): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024424ba0 a1=7f902440a9c0 a2=7f904020cf88 a3=fffffff0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1428588639.267:1222): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=71827855 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.267:1222): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024141510 a1=7f9024282730 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1428588639.269:1223): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=71827853 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.269:1223): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024351710 a1=7f9024328350 a2=7f904020cf88 a3=fffff000 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1428588639.270:1224): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=72276917 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.270:1224): arch=c000003e syscall=86 success=yes exit=0 a0=7f90242fa320 a1=7f90240a7ec0 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1428588639.272:1225): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=72276915 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.272:1225): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024424ba0 a1=7f902440a9c0 a2=7f904020cf88 a3=fffffff0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1428588639.273:1226): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=72276917 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.273:1226): arch=c000003e syscall=86 success=yes exit=0 a0=7f9024141510 a1=7f9024282730 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1428588639.275:1227): avc:  denied  { write } for  pid=9366 comm="cobblerd" name="initrd.img" dev="dm-0" ino=72276915 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428588639.275:1227): arch=c000003e syscall=86 success=yes exit=0 a0=7f902432b8a0 a1=7f9024328350 a2=7f904020cf88 a3=0 items=0 ppid=1 pid=9366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)


Expected results:
without message
Comment 2 Milos Malik 2015-04-09 14:41:34 UTC 
Were the AVCs caught in permissive mode? Where are the initrd.img (inode=72276915) and vmlinuz (inode=72276917) files located?
Comment 3 Pavel Studeník 2015-04-09 14:48:53 UTC 
# getenforce 
Enforcing

# ls -lZ /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz

# cobbler sync
task started: 2015-04-09_101038_sync
task started (id=Sync, time=Thu Apr  9 10:10:38 2015)
running pre-sync triggers
cleaning trees
removing: /var/www/cobbler/images/ks-rhel-x86_64-server-7-70
removing: /var/www/cobbler/images/ks-rhel-x86_64-server-7-71
removing: /var/lib/tftpboot/pxelinux.cfg/default
removing: /var/lib/tftpboot/grub/images
removing: /var/lib/tftpboot/grub/efidefault
removing: /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70
removing: /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71
removing: /var/lib/tftpboot/s390x/profile_list
copying bootloaders
copying: /usr/share/syslinux/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
copying: /usr/share/syslinux/menu.c32 -> /var/lib/tftpboot/menu.c32
copying: /usr/share/syslinux/memdisk -> /var/lib/tftpboot/memdisk
copying distros
copying files for distro: ks-rhel-x86_64-server-7-70
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70/vmlinuz
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-70/initrd.img
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/vmlinuz -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/vmlinuz
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.0/images/pxeboot/initrd.img -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-70/initrd.img
copying files for distro: ks-rhel-x86_64-server-7-71
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71/vmlinuz
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/ks-rhel-x86_64-server-7-71/initrd.img
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/vmlinuz -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-71/vmlinuz
trying hardlink /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-7-7.1/images/pxeboot/initrd.img -> /var/www/cobbler/images/ks-rhel-x86_64-server-7-71/initrd.img
copying images
generating PXE configuration files
cleaning link caches
generating PXE menu structure
running post-sync triggers
running python triggers from /var/lib/cobbler/triggers/sync/post/*
running python trigger cobbler.modules.sync_post_restart_services
running shell triggers from /var/lib/cobbler/triggers/sync/post/*
running python triggers from /var/lib/cobbler/triggers/change/*
running python trigger cobbler.modules.scm_track
running shell triggers from /var/lib/cobbler/triggers/change/*
*** TASK COMPLETE ***
Comment 4 Pavel Studeník 2015-04-10 12:21:50 UTC 
I added message of run in Permissive mode

# getenforce 
Permissive

# cobbler sync
...

# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1428668419.140:1156): avc:  denied  { write } for  pid=20855 comm="cobblerd" name="vmlinuz" dev="dm-0" ino=204302495 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=file
type=SYSCALL msg=audit(1428668419.140:1156): arch=c000003e syscall=86 success=yes exit=0 a0=7f1e3c39aef0 a1=7f1e3c07b3f0 a2=7f1e5875ff88 a3=fffffff0 items=0 ppid=1 pid=20855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
Comment 9 Lukas Vrabec 2017-04-10 07:55:39 UTC 
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of  the affected component. As a starting point you can use policy provided by selinux-policy package. For more details  about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.
Note You need to log in before you can comment on or make changes to this bug.