Summary: Trying "cobbler sync" with cobbler-2.0.5-1.fc13.noarch. SELinux is preventing /usr/bin/python "getattr" access on /boot/memtest86+-4.10. Detailed Description: SELinux denied access requested by cobblerd. It is not expected that this access is required by cobblerd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:boot_t:s0 Target Objects /boot/memtest86+-4.10 [ file ] Source cobblerd Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.4-27.fc13 Target RPM Packages memtest86+-4.10-2.fc13 Policy RPM selinux-policy-3.7.19-37.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Thu 22 Jul 2010 03:31:51 PM EDT Last Seen Thu 22 Jul 2010 03:31:51 PM EDT Local ID aac8c794-898c-470b-86df-7d9f4619aa40 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1279827111.649:22688): avc: denied { getattr } for pid=3841 comm="cobblerd" path="/boot/memtest86+-4.10" dev=sda1 ino=19 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1279827111.649:22688): arch=c000003e syscall=4 success=no exit=-13 a0=7fe508007810 a1=7fe50d9e89a0 a2=7fe50d9e89a0 a3=20 items=0 ppid=1 pid=3841 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) Hash String generated from catchall,cobblerd,cobblerd_t,boot_t,file,getattr audit2allow suggests: #============= cobblerd_t ============== allow cobblerd_t boot_t:file getattr;
# cobbler sync task started: 2010-07-22_153126_sync task started (id=Sync, time=Thu Jul 22 15:31:26 2010) running pre-sync triggers cleaning trees copying bootloaders trying cachelink /usr/share/syslinux/pxelinux.0 -> /var/lib/.link_cache/dcee0040e100cb19231b8223bdd688b464aad22f -> /var/lib/tftpboot/pxelinux.0 copying: /usr/share/syslinux/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0 trying cachelink /usr/share/syslinux/menu.c32 -> /var/lib/.link_cache/87a9d0b4427a17a026a6ba6685faca4c042ee735 -> /var/lib/tftpboot/menu.c32 copying: /usr/share/syslinux/menu.c32 -> /var/lib/tftpboot/menu.c32 copying: /boot/memtest86+-4.10 -> /var/lib/tftpboot/memtest86+-4.10 Exception occured: <class 'cobbler.cexceptions.CX'> Exception value: 'Cannot read: /boot/memtest86+-4.10' Exception Info: File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 95, in run rc = self._run(self) File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 184, in runner return self.remote.api.sync(self.options.get("verbose",False),logger=self.logger) File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 610, in sync return sync.run() File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 112, in run self.pxegen.copy_bootloaders() File "/usr/lib/python2.6/site-packages/cobbler/pxegen.py", line 98, in copy_bootloaders utils.copyfile_pattern('/boot/memtest*', dst, require_match=False, api=self.api, logger=self.logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1174, in copyfile_pattern linkfile(file,dst1,symlink_ok=symlink_ok,api=api,logger=logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1128, in linkfile return copyfile(src, dst, api=api, logger=logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1138, in copyfile raise CX(_("Cannot read: %s") % src) !!! TASK FAILED !!! [root@LAVALIERE tftpboot]# cobbler sync task started: 2010-07-22_153150_sync task started (id=Sync, time=Thu Jul 22 15:31:50 2010) running pre-sync triggers cleaning trees copying bootloaders trying cachelink /usr/share/syslinux/pxelinux.0 -> /var/lib/.link_cache/dcee0040e100cb19231b8223bdd688b464aad22f -> /var/lib/tftpboot/pxelinux.0 copying: /usr/share/syslinux/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0 trying cachelink /usr/share/syslinux/menu.c32 -> /var/lib/.link_cache/87a9d0b4427a17a026a6ba6685faca4c042ee735 -> /var/lib/tftpboot/menu.c32 copying: /usr/share/syslinux/menu.c32 -> /var/lib/tftpboot/menu.c32 Exception occured: <type 'exceptions.OSError'> Exception value: [Errno 13] Permission denied: '/boot/memtest86+-4.10' Exception Info: File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 95, in run rc = self._run(self) File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 184, in runner return self.remote.api.sync(self.options.get("verbose",False),logger=self.logger) File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 610, in sync return sync.run() File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 112, in run self.pxegen.copy_bootloaders() File "/usr/lib/python2.6/site-packages/cobbler/pxegen.py", line 98, in copy_bootloaders utils.copyfile_pattern('/boot/memtest*', dst, require_match=False, api=self.api, logger=self.logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1174, in copyfile_pattern linkfile(file,dst1,symlink_ok=symlink_ok,api=api,logger=logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1081, in linkfile if os.path.samefile(src, dst): File "/usr/lib64/python2.6/posixpath.py", line 152, in samefile s1 = os.stat(f1) !!! TASK FAILED !!!
Oops, pasted twice in that last comment.
What does cobbler sync do? Does it need to read/copy files in /boot? Miroslav it looks like we need to add files_read_boot_files(cobblerd_t)
Yes, we should allow it. Fixed in selinux-policy-3.7.19-40.fc13
Yes, it copies things from /boot in order to tftp them. Actually, cobbler has many selinux issues, it looks like it has not been tested with selinux in quite some time. This is especially odd since it definitely tries to work with selinux, as shown by the output of "cobbler check". I will try to file some more bugs, though I think it may take several rounds of policy updates to get through them all.
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.