Description of problem: SELinux is preventing /usr/bin/python3.9 from read access on the directory /boot/efi/EFI. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /boot/efi/EFI default label should be boot_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /boot/efi/EFI ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that python3.9 should be allowed read access on the EFI directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd # semodule -X 300 -i my-cobblerd.pp Additional Information: Source Context system_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects /boot/efi/EFI [ dir ] Source cobblerd Source Path /usr/bin/python3.9 Port <Unknown> Host <Unknown> Source RPM Packages python3-3.9.21-1.el9_5.x86_64 Target RPM Packages efi-filesystem-6-2.0.1.el9_0.noarch SELinux Policy RPM selinux-policy-targeted-38.1.45-3.0.1.el9_5.noarch Local Policy RPM cobbler-selinux-3.3.7-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name netboot.bp.local Platform Linux netboot.bp.local 5.14.0-503.33.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 19 06:55:43 PDT 2025 x86_64 x86_64 Alert Count 5 First Seen 2025-03-19 20:08:34 +04 Last Seen 2025-03-19 21:46:18 +04 Local ID 88821c8d-0c85-4815-8517-2f4988c79127 Raw Audit Messages type=AVC msg=audit(1742406378.613:9712): avc: denied { read } for pid=53773 comm="cobblerd" name="EFI" dev="sda1" ino=3 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1742406378.613:9712): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f01d0c45170 a2=90800 a3=0 items=0 ppid=1 pid=53773 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: cobblerd,cobblerd_t,dosfs_t,dir,read Version-Release number of selected component (if applicable): # rpm -qa cobbler* cobbler-selinux-3.3.7-1.el9.noarch cobbler-3.3.7-1.el9.noarch How reproducible: always Steps to Reproduce: 1. dnf install cobbler grub2-efi-x64-modules 2. systemctl start cobblerd 3. cobbler mkloaders Actual results: # cobbler mkloaders task started: 2025-03-20_193047_Create bootable bootloader images_331add81b3f24dc68ba25d714abd4ee4 task started (id=Create bootable bootloader images, time=Thu Mar 20 19:30:47 2025) start_task(mkloaders); event_id(2025-03-20_193047_Create bootable bootloader images_331add81b3f24dc68ba25d714abd4ee4) Unable to find the folder which should be scanned for "shim.efi"! Bailing out of linking the shim! GRUB2 modules directory for arch "aarch64" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "arm" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "arm64-efi" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "i386-efi" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "i386-pc-pxe" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "i686" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "IA64" did no exist. Skipping GRUB2 creation GRUB2 modules directory for arch "powerpc-ieee1275" did no exist. Skipping GRUB2 creation grub2-mkimage failed for arch "x86_64-efi"! Maybe you did forget to install the grub modules for the architecture? Exception occurred: <class 'subprocess.CalledProcessError'> Exception value: Command '['grub2-mkimage', '--format', 'x86_64-efi', '--output', '/var/lib/cobbler/loaders/grub/grubx64.efi', '--prefix=', 'btrfs', 'ext2', 'xfs', 'jfs', 'reiserfs', 'all_video', 'boot', 'cat', 'configfile', 'echo', 'fat', 'font', 'gfxmenu', 'gfxterm', 'gzio', 'halt', 'iso9660', 'jpeg', 'linux', 'loadenv', 'minicmd', 'normal', 'part_apple', 'part_gpt', 'part_msdos', 'password_pbkdf2', 'png', 'reboot', 'search', 'search_fs_file', 'search_fs_uuid', 'search_label', 'sleep', 'test', 'true', 'video', 'mdraid09', 'mdraid1x', 'lvm', 'serial', 'regexp', 'tr', 'tftp', 'http', 'luks', 'gcry_rijndael', 'gcry_sha1', 'gcry_sha256', 'chain', 'efinet']' returned non-zero exit status 1. Exception Info: *** TASK COMPLETE *** Expected results: Cobbler can access to grub2 EFI files when SELinux is in enforcing mode.
SELinux is preventing /usr/bin/python3.9 from read access on the directory /boot/efi/EFI/redhat. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /boot/efi/EFI/redhat default label should be boot_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /boot/efi/EFI/redhat ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that python3.9 should be allowed read access on the redhat directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd # semodule -X 300 -i my-cobblerd.pp Additional Information: Source Context system_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects /boot/efi/EFI/redhat [ dir ] Source cobblerd Source Path /usr/bin/python3.9 Port <Unknown> Host <Unknown> Source RPM Packages python3-3.9.21-1.el9_5.x86_64 Target RPM Packages efi-filesystem-6-2.0.1.el9_0.noarch grub2-common-2.06-94.0.1.el9_5.noarch SELinux Policy RPM selinux-policy-targeted-38.1.45-3.0.1.el9_5.noarch Local Policy RPM cobbler-selinux-3.3.7-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name netboot.bp.local Platform Linux netboot.bp.local 5.14.0-503.33.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 19 06:55:43 PDT 2025 x86_64 x86_64 Alert Count 11 First Seen 2025-03-19 20:08:34 +04 Last Seen 2025-03-20 20:42:56 +04 Local ID 6957e2e1-3a4c-4912-b630-4d354739cf5a Raw Audit Messages type=AVC msg=audit(1742488976.396:153): avc: denied { read } for pid=2112 comm="cobblerd" name="redhat" dev="sda1" ino=4 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1742488976.396:153): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f7a3f58df90 a2=90800 a3=0 items=0 ppid=1 pid=2112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: cobblerd,cobblerd_t,dosfs_t,dir,read
SELinux is preventing /usr/bin/python3.9 from getattr access on the file /boot/efi/EFI/redhat/shim.efi. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /boot/efi/EFI/redhat/shim.efi default label should be boot_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /boot/efi/EFI/redhat/shim.efi ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that python3.9 should be allowed getattr access on the shim.efi file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd # semodule -X 300 -i my-cobblerd.pp Additional Information: Source Context system_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects /boot/efi/EFI/redhat/shim.efi [ file ] Source cobblerd Source Path /usr/bin/python3.9 Port <Unknown> Host <Unknown> Source RPM Packages python3-3.9.21-1.el9_5.x86_64 Target RPM Packages shim-x64-15.8-1.0.3.el9.x86_64 SELinux Policy RPM selinux-policy-targeted-38.1.45-3.0.1.el9_5.noarch Local Policy RPM cobbler-selinux-3.3.7-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name netboot.bp.local Platform Linux netboot.bp.local 5.14.0-503.33.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 19 06:55:43 PDT 2025 x86_64 x86_64 Alert Count 1 First Seen 2025-03-20 20:45:33 +04 Last Seen 2025-03-20 20:45:33 +04 Local ID 1d33dba9-f4b3-4e79-a746-729372392792 Raw Audit Messages type=AVC msg=audit(1742489133.911:159): avc: denied { getattr } for pid=2112 comm="cobblerd" path="/boot/efi/EFI/redhat/shim.efi" dev="sda1" ino=11 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1742489133.911:159): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=ffffff9c a1=7f7a3f3aec90 a2=7f7a3f3649b0 a3=0 items=0 ppid=1 pid=2112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cobblerd exe=/usr/bin/python3.9 subj=system_u:system_r:cobblerd_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: cobblerd,cobblerd_t,dosfs_t,file,getattr