2448564 – lot of SE denial for "/etc"

Bug 2448564 - lot of SE denial for "/etc"

Summary: lot of SE denial for "/etc"

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	cobbler3.3
Sub Component:
Version:	epel10
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Orion Poplawski
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-18 07:23 UTC by lejeczek
Modified:	2026-03-19 03:53 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description lejeczek 2026-03-18 07:23:47 UTC

Description of problem:

-> $ systemctl restart cobblerd.service
-> $ echo $?
0

-> $ journallf --no-hostname -o cat -u setroubleshootd.service | egrep '(SELinux is prev|ausearch)'
...
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/lvm. For complete SELinux messages run: sealert -l 8a34d355-1c7e-4067-8a71-9d8dc195a5ce
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/lvm.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/aliases.lmdb. For complete SELinux messages run: sealert -l 33eaf315-38b9-47dc-bea8-ff304ffa4281
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/aliases.lmdb.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/adjtime. For complete SELinux messages run: sealert -l 0434ff96-1606-49c7-8bf5-21305bf1b6cd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/adjtime.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/rsyslog.d. For complete SELinux messages run: sealert -l 9812768c-f5b4-4797-b13c-2460e16c68a9
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/rsyslog.d.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/shadow-. For complete SELinux messages run: sealert -l 7cb183c1-8dd1-4876-b242-3e13c50fd53c
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/shadow-.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/cron.d. For complete SELinux messages run: sealert -l 64844e4b-0505-4a7a-ba27-927467c8ae7d
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/cron.d.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/rsyslog.conf. For complete SELinux messages run: sealert -l 06e0f88a-626e-421f-a953-c15026dce51c
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/rsyslog.conf.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/modprobe.d. For complete SELinux messages run: sealert -l 4056949c-0f9a-4f93-af6b-8b8c4bb8d728
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/modprobe.d.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/gshadow-. For complete SELinux messages run: sealert -l 7cb183c1-8dd1-4876-b242-3e13c50fd53c
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/gshadow-.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/audit. For complete SELinux messages run: sealert -l 92fe2325-65a7-4e9e-b6f7-45e6a26c9bb1
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/audit.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/rc.d/rc.local. For complete SELinux messages run: sealert -l f4e2fbad-651e-441c-9d7d-ab62e5524a5d
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/rc.d/rc.local.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/aliases. For complete SELinux messages run: sealert -l 33eaf315-38b9-47dc-bea8-ff304ffa4281
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/aliases.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/exports. For complete SELinux messages run: sealert -l a15993c2-f429-4962-837f-add666d7653c
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/exports.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/gshadow. For complete SELinux messages run: sealert -l 7cb183c1-8dd1-4876-b242-3e13c50fd53c
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/gshadow.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/printcap. For complete SELinux messages run: sealert -l 59791f8c-72e1-4ffa-94b5-b294773af8ec
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/printcap.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/shadow. For complete SELinux messages run: sealert -l 7cb183c1-8dd1-4876-b242-3e13c50fd53c
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/shadow.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/mail. For complete SELinux messages run: sealert -l ecca767a-e96d-4247-8816-acae61dcb3a9
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/mail.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/pdns. For complete SELinux messages run: sealert -l 55b845e3-8e79-44e5-887c-62228a4cffe3
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/pdns.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/glusterfs. For complete SELinux messages run: sealert -l 455112ea-5ff5-4245-a06e-40b8931c4082
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/glusterfs.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/crontab. For complete SELinux messages run: sealert -l c92a50fd-a136-44d4-b52e-f2168264a44e
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/crontab.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/chrony.keys. For complete SELinux messages run: sealert -l 0190301c-c877-4dde-8e6c-61e1d33b258a
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/chrony.keys.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/firewalld. For complete SELinux messages run: sealert -l 3a373204-59f5-42e0-833b-a49907d3b041
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/firewalld.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/sssd. For complete SELinux messages run: sealert -l ed0c0af6-6fe2-410e-bab4-79c947c556d1
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/sssd.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/NetworkManager. For complete SELinux messages run: sealert -l 6a6f0f5c-067d-4892-96fa-6c5244923897
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/NetworkManager.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/cups. For complete SELinux messages run: sealert -l 14546d81-301f-4927-b783-d80192dcf37a
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/cups.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/tor. For complete SELinux messages run: sealert -l 3ac3a8de-a263-42ef-9425-303c8ab22a07
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/tor.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/postfix. For complete SELinux messages run: sealert -l 3a0b1f58-3862-436f-96bf-6f74e02236e9
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/postfix.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/krb5.keytab. For complete SELinux messages run: sealert -l e834d2a7-c167-47a0-970f-9f2ac25a36bd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/krb5.keytab.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/my.cnf.d. For complete SELinux messages run: sealert -l ad61a7cc-5762-4f03-9a63-0e55190e443a
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/my.cnf.d.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/my.cnf. For complete SELinux messages run: sealert -l 4c701791-ac5b-48a3-ab2a-fafac2b8dc1b
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/my.cnf.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/aliases.db. For complete SELinux messages run: sealert -l 33eaf315-38b9-47dc-bea8-ff304ffa4281
SELinux is preventing /usr/bin/python3.12 from getattr access on the file /etc/aliases.db.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/exports.d. For complete SELinux messages run: sealert -l d67525c2-2316-4b89-8824-3fef4c0fe9b3
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/exports.d.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/postfix_relay. For complete SELinux messages run: sealert -l 3a0b1f58-3862-436f-96bf-6f74e02236e9
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/postfix_relay.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/libvirt. For complete SELinux messages run: sealert -l a0dcb35e-0c49-49c9-9b5d-16b9bdfa8251
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/libvirt.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/amavisd. For complete SELinux messages run: sealert -l 913360fd-fa12-49f5-ae6f-88b56c47e460
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/amavisd.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/dovecot. For complete SELinux messages run: sealert -l febaa618-7040-4a81-b851-9e6a58de0fa3
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/dovecot.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/mdevctl.d. For complete SELinux messages run: sealert -l f861a03c-92dd-468e-adc7-d4395d592c6a
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/mdevctl.d.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/openvpn. For complete SELinux messages run: sealert -l 2654ff3a-a748-409a-97b7-c3ee20edce3c
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/openvpn.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/squid. For complete SELinux messages run: sealert -l 4af41d1d-d235-4160-b70c-3d60eaa7c4fe
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/squid.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/redis. For complete SELinux messages run: sealert -l 05c28a8f-35a2-495b-8a08-a188ef55b55f
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/redis.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/valkey. For complete SELinux messages run: sealert -l 05c28a8f-35a2-495b-8a08-a188ef55b55f
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/valkey.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/multipath. For complete SELinux messages run: sealert -l 7990d8ee-e26c-4d9b-bf38-de54195c752d
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/multipath.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/bluetooth. For complete SELinux messages run: sealert -l 958e087c-caea-44e4-9a90-47a3c198c1bc
SELinux is preventing /usr/bin/python3.12 from getattr access on the directory /etc/bluetooth.
# ausearch -c 'cobblerd' --raw | audit2allow -M my-cobblerd

Version-Release number of selected component (if applicable):

cobbler-3.3.7-15.el10

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

Comment 1 Orion Poplawski 2026-03-19 03:53:34 UTC

I think this is related to something cobblerd is calling to get information about the system, but I haven't been able to figure out what exactly it is though.  I don't think it's causing any issues.  That said, cobblerd doesn't run well under SELinux.  I generally run it unconfined.

Note You need to log in before you can comment on or make changes to this bug.