Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 617579 - SELinux is preventing /usr/bin/python "getattr" access on /etc/rc.d/init.d/cobblerd.
SELinux is preventing /usr/bin/python "getattr" access on /etc/rc.d/init...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:0eb885a55de...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-23 09:22 EDT by Adam Goode
Modified: 2010-11-03 12:01 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-03 12:01:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cobbler check AVC (18.94 KB, text/plain)
2010-07-23 10:13 EDT, Adam Goode
no flags Details

  None (edit)
Description Adam Goode 2010-07-23 09:22:17 EDT
Happens when doing "cobbler check", I think it is trying to determine if cobblerd is running.


Summary:

SELinux is preventing /usr/bin/python "getattr" access on
/etc/rc.d/init.d/cobblerd.

Detailed Description:

SELinux denied access requested by cobblerd. It is not expected that this access
is required by cobblerd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:cobblerd_t:s0
Target Context                system_u:object_r:cobblerd_initrc_exec_t:s0
Target Objects                /etc/rc.d/init.d/cobblerd [ file ]
Source                        cobblerd
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-27.fc13
Target RPM Packages           cobbler-2.0.5-1.fc13
Policy RPM                    selinux-policy-3.7.19-37.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
                              UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 23 Jul 2010 09:14:18 AM EDT
Last Seen                     Fri 23 Jul 2010 09:14:18 AM EDT
Local ID                      a45fce9c-cceb-4601-a274-e08eea78ae07
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1279890858.688:29769): avc:  denied  { getattr } for  pid=12985 comm="cobblerd" path="/etc/rc.d/init.d/cobblerd" dev=dm-0 ino=44960 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobblerd_initrc_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1279890858.688:29769): arch=c000003e syscall=4 success=no exit=-13 a0=7f82a80b33e0 a1=7f82b5c658b0 a2=7f82b5c658b0 a3=20 items=0 ppid=1 pid=12985 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)



Hash String generated from  catchall,cobblerd,cobblerd_t,cobblerd_initrc_exec_t,file,getattr
audit2allow suggests:

#============= cobblerd_t ==============
allow cobblerd_t cobblerd_initrc_exec_t:file getattr;
Comment 1 Daniel Walsh 2010-07-23 09:30:26 EDT
Can you execute

# semanage permissive -a cobblerd_t
cobbler check
# semanage permissive -d cobblerd_t

Then grab the output from 

ausearch -m avc -ts recent

So we can get all of the AVC messages.
Comment 2 Miroslav Grepl 2010-07-23 09:38:14 EDT
Are you doing 'cobbler check' via cobbler web interface?
Comment 3 Adam Goode 2010-07-23 09:42:44 EDT
No, at the command line.
Comment 4 Adam Goode 2010-07-23 09:43:05 EDT
This is cobbler-2.0.5-1.fc13.noarch from updates-testing, by the way.
Comment 5 Adam Goode 2010-07-23 10:12:34 EDT
Ok, I updated policy.

selinux-policy-3.7.19-39.fc13.noarch
cobbler-2.0.5-1.fc13.noarch

I'm attaching cobbler check AVC messages.

Also, cobbler check suggests that I do this:

1 : you need to set some SELinux content rules to ensure cobbler serves content correctly in your SELinux environment, run the following: /usr/sbin/semanage fcontext -a -t public_content_t "/var/lib/tftpboot/.*" && /usr/sbin/semanage fcontext -a -t public_content_t "/var/www/cobbler/images/.*"
2 : you need to set some SELinux rules if you want to use cobbler-web (an optional package), run the following: /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*"
Comment 6 Adam Goode 2010-07-23 10:13:06 EDT
Created attachment 433966 [details]
cobbler check AVC
Comment 7 Daniel Walsh 2010-07-23 10:22:36 EDT
Rawhide cobbler has

domain_dontaudit_exec_all_entry_files(cobblerd_t)
domain_dontaudit_read_all_domains_state(cobblerd_t)

Which would eliminate most of these avc messages.

Miroslav can you update F13 policy to whats in Rawhide.
Comment 8 Miroslav Grepl 2010-11-03 12:01:15 EDT
Adam,
are you still getting AVC messages with the latest F13 selinux-policy?

If so, please reopen the bug. Thanks.

Note You need to log in before you can comment on or make changes to this bug.