2247653 – cobbler denied by SELinux

Bug 2247653 - cobbler denied by SELinux

Summary: cobbler denied by SELinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	cobbler
Sub Component:
Version:	epel9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Orion Poplawski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-11-02 15:25 UTC by lejeczek
Modified:	2024-03-07 01:50 UTC (History)
CC List:	5 users (show)
Fixed In Version:	cobbler-3.3.4-1.el9 cobbler-3.3.4-1.fc39 cobbler-3.3.4-1.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-03-07 00:35:27 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	cobbler cobbler pull 3454	0	None	Merged	Address issue #3445 - Fix issue with web.ss file ownership for restarts	2023-11-04 03:11:33 UTC

Description lejeczek 2023-11-02 15:25:31 UTC

Description of problem:

Hi guys.

I've tried a few sebools:

-> $ getsebool -a | grep -i cobbl
cobbler_anon_write --> on
cobbler_can_network_connect --> on
cobbler_use_cifs --> off
cobbler_use_nfs --> off
httpd_can_network_connect_cobbler --> on
httpd_serve_cobbler_files --> on

and I'm reporting here as this should easily reproduce with default/vanilla _cobbler_

-> $ sealert -l 8e33583e-57de-4166-8eb8-7554767ded84
SELinux is preventing /usr/bin/python3.9 from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that python3.9 should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
# semodule -X 300 -i my-cobblerd.pp


Additional Information:
Source Context                system_u:system_r:cobblerd_t:s0
Target Context                system_u:system_r:cobblerd_t:s0
Target Objects                Unknown [ capability ]
Source                        cobblerd
Source Path                   /usr/bin/python3.9
Port                          <Unknown>
Host                          whale.mine.priv
Source RPM Packages           python3-3.9.17-2.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.25-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-38.1.25-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     whale.mine.priv
Platform                      Linux whale.mine.priv 6.5.9-1.el9.elrepo.x86_64 #1
                              SMP PREEMPT_DYNAMIC Wed Oct 25 12:29:01 EDT 2023
                              x86_64 x86_64
Alert Count                   10
First Seen                    2023-11-02 13:13:36 CET
Last Seen                     2023-11-02 16:20:05 CET
Local ID                      8e33583e-57de-4166-8eb8-7554767ded84

Raw Audit Messages
type=AVC msg=audit(1698938405.350:466552): avc:  denied  { dac_override } for  pid=3651386 comm="cobblerd" capability=1  scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=capability permissive=0


type=SYSCALL msg=audit(1698938405.350:466552): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f1109d7aad0 a2=80241 a3=1b6 items=0 ppid=1 pid=3651386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null)

Hash: cobblerd,cobblerd_t,cobblerd_t,capability,dac_override

Version-Release number of selected component (if applicable):

cobbler-3.3.3-1.el9.noarch
selinux-policy-38.1.25-1.el9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Orion Poplawski 2023-11-04 03:03:59 UTC

Oh how silly - cobblerd is still generating /var/lib/cobbler/web.ss even though this has no more purpose at the moment.  And unfortunately I remove the %attr() call that set the proper permissions for it but left the touch that created it.

quick fix:

chmod 0660 /var/lib/cobbler/web.ss

But I'll try to get a fixed package out shortly.

Comment 2 Orion Poplawski 2023-11-04 03:11:33 UTC

Hmm, actually this in an upstream bug that has been fixed in git.  But the permissions are currently getting messed up by cobblerd itself on restart.

Comment 3 Fedora Update System 2024-02-27 04:54:33 UTC

FEDORA-EPEL-2024-f61c894754 (cobbler-3.3.4-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-f61c894754

Comment 4 Fedora Update System 2024-02-27 04:54:33 UTC

FEDORA-2024-e4fbc04b30 (cobbler-3.3.4-1.fc39) has been submitted as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-e4fbc04b30

Comment 5 Fedora Update System 2024-02-28 01:03:33 UTC

FEDORA-2024-e4fbc04b30 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-e4fbc04b30`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e4fbc04b30

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2024-02-28 01:15:34 UTC

FEDORA-EPEL-2024-f61c894754 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-f61c894754

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2024-02-28 02:10:46 UTC

FEDORA-2024-21763dc4d6 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-21763dc4d6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-21763dc4d6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2024-03-07 00:35:27 UTC

FEDORA-EPEL-2024-f61c894754 (cobbler-3.3.4-1.el9) has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2024-03-07 00:57:20 UTC

FEDORA-2024-e4fbc04b30 (cobbler-3.3.4-1.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2024-03-07 01:50:06 UTC

FEDORA-2024-21763dc4d6 (cobbler-3.3.4-1.fc38) has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.