+++ This bug was initially created as a clone of Bug #1384600 +++ Description of problem: Trying to authenticate a user in cobbler via PAM fails: type=AVC msg=audit(1476373827.693:553): avc: denied { create } for pid=10174 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket permissive=0 Oct 13 09:50:27 vmf24 python2: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=USER Oct 13 09:50:27 vmf24 python2: PAM audit_open() failed: Permission denied Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7_3.4.noarch --- Additional comment from Fedora Update System on 2017-01-09 09:03:05 EST --- selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
Could you switch the cobblerd_t domain to permissive, re-run your scenario and collect SELinux denials? # semanage permissive -a cobblerd_t (re-run your scenario) # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent Thank you.
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent ---- type=SYSCALL msg=audit(01/23/2017 10:06:40.375:1311189) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28905 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(01/23/2017 10:06:40.375:1311189) : avc: denied { create } for pid=28905 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket ---- type=SYSCALL msg=audit(01/23/2017 10:07:41.466:1311200) : arch=x86_64 syscall=sendto success=yes exit=164 a0=0x42 a1=0x7fa8dd08eaa0 a2=0xa4 a3=0x0 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc: denied { audit_write } for pid=28980 comm=cobblerd capability=audit_write scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=capability type=AVC msg=audit(01/23/2017 10:07:41.466:1311200) : avc: denied { nlmsg_relay } for pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket ---- type=SYSCALL msg=audit(01/23/2017 10:07:41.465:1311199) : arch=x86_64 syscall=socket success=yes exit=66 a0=netlink a1=SOCK_RAW a2=igp a3=0x1 items=0 ppid=1 pid=28980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(01/23/2017 10:07:41.465:1311199) : avc: denied { create } for pid=28980 comm=cobblerd scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_audit_socket # getsebool -a | grep cobbler cobbler_anon_write --> off cobbler_can_network_connect --> off cobbler_use_cifs --> off cobbler_use_nfs --> on httpd_can_network_connect_cobbler --> on httpd_serve_cobbler_files --> on