Description of problem: Hi guys. I've tried a few sebools: -> $ getsebool -a | grep -i cobbl cobbler_anon_write --> on cobbler_can_network_connect --> on cobbler_use_cifs --> off cobbler_use_nfs --> off httpd_can_network_connect_cobbler --> on httpd_serve_cobbler_files --> on and I'm reporting here as this should easily reproduce with default/vanilla _cobbler_ -> $ sealert -l 8e33583e-57de-4166-8eb8-7554767ded84 SELinux is preventing /usr/bin/python3.9 from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that python3.9 should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd # semodule -X 300 -i my-cobblerd.pp Additional Information: Source Context system_u:system_r:cobblerd_t:s0 Target Context system_u:system_r:cobblerd_t:s0 Target Objects Unknown [ capability ] Source cobblerd Source Path /usr/bin/python3.9 Port <Unknown> Host whale.mine.priv Source RPM Packages python3-3.9.17-2.el9.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.25-1.el9.noarch Local Policy RPM selinux-policy-targeted-38.1.25-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name whale.mine.priv Platform Linux whale.mine.priv 6.5.9-1.el9.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 25 12:29:01 EDT 2023 x86_64 x86_64 Alert Count 10 First Seen 2023-11-02 13:13:36 CET Last Seen 2023-11-02 16:20:05 CET Local ID 8e33583e-57de-4166-8eb8-7554767ded84 Raw Audit Messages type=AVC msg=audit(1698938405.350:466552): avc: denied { dac_override } for pid=3651386 comm="cobblerd" capability=1 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=capability permissive=0 type=SYSCALL msg=audit(1698938405.350:466552): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f1109d7aad0 a2=80241 a3=1b6 items=0 ppid=1 pid=3651386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null) Hash: cobblerd,cobblerd_t,cobblerd_t,capability,dac_override Version-Release number of selected component (if applicable): cobbler-3.3.3-1.el9.noarch selinux-policy-38.1.25-1.el9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Oh how silly - cobblerd is still generating /var/lib/cobbler/web.ss even though this has no more purpose at the moment. And unfortunately I remove the %attr() call that set the proper permissions for it but left the touch that created it. quick fix: chmod 0660 /var/lib/cobbler/web.ss But I'll try to get a fixed package out shortly.
Hmm, actually this in an upstream bug that has been fixed in git. But the permissions are currently getting messed up by cobblerd itself on restart.
FEDORA-EPEL-2024-f61c894754 (cobbler-3.3.4-1.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-f61c894754
FEDORA-2024-e4fbc04b30 (cobbler-3.3.4-1.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-e4fbc04b30
FEDORA-2024-e4fbc04b30 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-e4fbc04b30` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e4fbc04b30 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2024-f61c894754 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-f61c894754 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-21763dc4d6 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-21763dc4d6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-21763dc4d6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2024-f61c894754 (cobbler-3.3.4-1.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-e4fbc04b30 (cobbler-3.3.4-1.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-21763dc4d6 (cobbler-3.3.4-1.fc38) has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.