Summary: After installing cobbler # rpm -qf /usr/bin/cobblerd cobbler-2.0.0-1.fc12.noarch and running it creates a service. tcp 0 0 127.0.0.1:25151 0.0.0.0:* LISTEN 1882/python also contained in /etc/httpd/conf.d/cobbler.conf is ProxyPass /cobbler_api http://localhost:25151/ ProxyPassReverse /cobbler_api http://localhost:25151/ # cobbler check httpd does not appear to be running and proxying cobbler due the selinux error below. SELinux is preventing /usr/sbin/httpd from connecting to port 25151. Detailed Description: [httpd has a permissive type (httpd_t). This access was not denied.] SELinux has denied httpd from connecting to a network port 25151 which does not have an SELinux type associated with it. If httpd should be allowed to connect on 25151, use the semanage command to assign 25151 to a port type that httpd_t can connect to (dns_port_t, http_port_t, ldap_port_t, kerberos_port_t, ocsp_port_t). If httpd is not supposed to connect to 25151, this could signal a intrusion attempt. Allowing Access: If you want to allow httpd to connect to 25151, you can execute semanage port -a -t PORT_TYPE -p tcp 25151 where PORT_TYPE is one of the following: dns_port_t, http_port_t, ldap_port_t, kerberos_port_t, ocsp_port_t. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Source httpd Source Path /usr/sbin/httpd Port 25151 Host (removed) Source RPM Packages httpd-2.2.13-4.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-55.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name connect_ports Host Name (removed) Platform Linux (removed) 2.6.31.6-166.fc12.x86_64 #1 SMP Wed Dec 9 10:46:22 EST 2009 x86_64 x86_64 Alert Count 16 First Seen Fri 11 Dec 2009 01:55:55 AM CET Last Seen Fri 11 Dec 2009 11:28:44 PM CET Local ID 5394e20f-efa7-4996-8a13-57cedf365368 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1260570524.282:45502): avc: denied { name_connect } for pid=7962 comm="httpd" dest=25151 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1260570524.282:45502): arch=c000003e syscall=42 success=yes exit=128 a0=c a1=7f354ab002b8 a2=10 a3=7fff209b6bbc items=0 ppid=7957 pid=7962 auid=500 uid=48 gid=485 euid=48 suid=48 fsuid=48 egid=485 sgid=485 fsgid=485 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-55.fc12,connect_ports,httpd,httpd_t,port_t,tcp_socket,name_connect audit2allow suggests: #============= httpd_t ============== allow httpd_t port_t:tcp_socket name_connect;
You have changed the default way apache runs, so you need to tell SELinux about it. If you want to change the ports the apache can connect to you can add this port to http_port_t semanage port -a -t http_port_t -p tcp 25151 Running the avc through audit2allow it also shows booleans you could set. # audit2allow -wi /tmp/t node=(removed) type=AVC msg=audit(1260570524.282:45502): avc: denied { name_connect } for pid=7962 comm="httpd" dest=25151 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Was caused by: One of the following booleans was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1 Description: Allow HTTPD scripts and modules to connect to the network using TCP. Allow access by executing: # setsebool -P httpd_can_network_connect 1
I am meant to do this or it is meant to be added as policy within the RPMS. Sure I can add it for now but for the future are these not meant to just installed with the packages? i.e this is for cobbler itself to add in a cobbler-selinux package or something? Remember I only reported since the "automatic bug reporting" tool suggested that I did. Steve
Well If cobbler needs to setup apache to connect to port 25151 then maybe it should do it. I am not going to setup every apache site in the world to connect to this port. I would prefer that apache be setup to not be allowed to connect to any port by default and the administrator decide on which ports it can connect. This would potentially prevent apache worms. The goal with SELinux is to be as secure as possible by default, and have little admin. Maybe the init script of the cobbler startup could check the port is defined and then define it if it in not defined. This would only define it if some one actually turned on cobbler.
Hi Daniel, Yes agreed its the responsibility of the cobbler package though I think the method is to have a cobbler-selinux package the same as say: The bug was auto-assigned to the selinux policy package , it should have never have gone there. # rpm -pql pure-ftpd-selinux-1.0.22-4.fc12.x86_64.rpm /usr/share/doc/pure-ftpd-selinux-1.0.22 /usr/share/doc/pure-ftpd-selinux-1.0.22/README.SELinux /usr/share/selinux/packages/pure-ftpd/pureftpd.pp that contains some policy that is loaded automatically. Steve
My only concern is the mere adding of the cobbler package does not indicate you are going to use it. So if the cobbler package adds the port, apache will suddenly be able to connect. Adding a policy for cobbler would be good, and I think this is being worked on.
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
I have installed and configured cobbler and required setting as per the following link, http://centoshowtos.org/installation/kickstart-cobbler-on-centos-server/ and i too get the following error.. Can Anyone help?? [root@puppetserver puppet]# cobbler status httpd does not appear to be running and proxying cobbler, or SELinux is in the way. Original traceback: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/cobbler/cli.py", line 184, in check_setup s.ping() File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request verbose=self.__verbose File "/usr/lib64/python2.6/xmlrpclib.py", line 1235, in request self.send_content(h, request_body) File "/usr/lib64/python2.6/xmlrpclib.py", line 1349, in send_content connection.endheaders() File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 739, in send self.connect() File "/usr/lib64/python2.6/httplib.py", line 720, in connect self.timeout) File "/usr/lib64/python2.6/socket.py", line 553, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): gaierror: [Errno -2] Name or service not known
(In reply to comment #8) This bug report is for Fedora, not for CentOS. Also your issue doesn't look similar to the one reported here. Last, but not least, this is not a support forum. If you're having issues with cobbler have a look at http://www.cobblerd.org/community.html