Bug 1415315 - SELinux prevents cobbler from authenticating via PAM
Summary: SELinux prevents cobbler from authenticating via PAM
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cobbler
Version: epel7
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1384600
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-20 20:37 UTC by Orion Poplawski
Modified: 2019-04-30 21:41 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1384600
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Orion Poplawski 2017-01-20 20:37:21 UTC
+++ This bug was initially created as a clone of Bug #1384600 +++

Description of problem:

Trying to authenticate a user in cobbler via PAM fails:

type=AVC msg=audit(1476373827.693:553): avc:  denied  { create } for  pid=10174 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket permissive=0

Oct 13 09:50:27 vmf24 python2: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=USER
Oct 13 09:50:27 vmf24 python2: PAM audit_open() failed: Permission denied

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.4.noarch

--- Additional comment from Fedora Update System on 2017-01-09 09:03:05 EST ---

selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe

Comment 2 Milos Malik 2017-01-23 06:58:14 UTC
Could you switch the cobblerd_t domain to permissive, re-run your scenario and collect SELinux denials?

# semanage permissive -a cobblerd_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent

Thank you.

Comment 3 Orion Poplawski 2017-01-23 17:08:44 UTC
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
----
type=SYSCALL msg=audit(01/23/2017 10:06:40.375:1311189) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28905 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:06:40.375:1311189) : avc:  denied  { create } for  pid=28905 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket
----
type=SYSCALL msg=audit(01/23/2017 10:07:41.466:1311200) : arch=x86_64 syscall=sendto success=yes exit=164 a0=0x42 a1=0x7fa8dd08eaa0 a2=0xa4 a3=0x0 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc:  denied  { audit_write } for  pid=28980 comm=cobblerd capability=audit_write  scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=capability
type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc:  denied  { nlmsg_relay } for  pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket
----
type=SYSCALL msg=audit(01/23/2017 10:07:41.465:1311199) : arch=x86_64 syscall=socket success=yes exit=66 a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(01/23/2017 10:07:41.465:1311199) : avc:  denied  { create } for  pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket

# getsebool -a | grep cobbler
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> on
httpd_can_network_connect_cobbler --> on
httpd_serve_cobbler_files --> on


Note You need to log in before you can comment on or make changes to this bug.