Red Hat Bugzilla – Bug 617580
SELinux is preventing /usr/bin/python "getattr" access on /etc/rc.d/init.d/iptables.
Last modified: 2011-06-29 09:06:07 EDT
Happens when doing "cobbler check", it is attempting to figure out if the firewall might be blocking its ports. Summary: SELinux is preventing /usr/bin/python "getattr" access on /etc/rc.d/init.d/iptables. Detailed Description: SELinux denied access requested by cobblerd. It is not expected that this access is required by cobblerd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:iptables_initrc_exec_t:s0 Target Objects /etc/rc.d/init.d/iptables [ file ] Source cobblerd Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.4-27.fc13 Target RPM Packages iptables-1.4.7-2.fc13 Policy RPM selinux-policy-3.7.19-37.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 23 Jul 2010 09:14:18 AM EDT Last Seen Fri 23 Jul 2010 09:14:18 AM EDT Local ID 217069f8-3b59-4c92-bbd6-7cc6a948e171 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1279890858.699:29770): avc: denied { getattr } for pid=12985 comm="cobblerd" path="/etc/rc.d/init.d/iptables" dev=dm-0 ino=7940 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:iptables_initrc_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1279890858.699:29770): arch=c000003e syscall=4 success=no exit=-13 a0=7f82a80b3560 a1=7f82b5c65960 a2=7f82b5c65960 a3=20 items=0 ppid=1 pid=12985 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) Hash String generated from catchall,cobblerd,cobblerd_t,iptables_initrc_exec_t,file,getattr audit2allow suggests: #============= cobblerd_t ============== allow cobblerd_t iptables_initrc_exec_t:file getattr;
Why is cobbler touching iptables init script?
The 'cobbler check' command is a helper to let the user know if there are any problems with the configuration on the cobbler host. It needs to figure out if there is a host level firewall in place. Can you think of a better way to determine if the firewall is up? Additionally, I am starting to think some of the checks in cobbler check are going to be purely informational and always display.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Is cobbler check run by an admin?
Yes. It does not make any changes to the environment, only reports on possible issues that might affect the operation of cobbler.
Does cobbler check cause the cobbler daemon to run a service iptables status command? Can't the cobbler command do this itself?
When we released 2.0, we started doing everything that cobbler does inside of cobblerd. This was done for a whole host of reasons. The check command was moved inside of cobblerd at this time for simplicity reasons. Currently the '/usr/bin/cobbler' command is actually a simple xmlrpc client. I would prefer to keep /usr/bin/cobbler as simple as possible (in fact I have plans to make it even dumber and get all information to build its interface from cobblerd). I would be more inclined to remove the actual check parts of these checks and make them purely advisory. Currently many of them take a rather simplistic view of the system anyway. For instance, the firewall check only checks that the firewall is up, then informs you that you need to open some ports. It does not attempt to check that the ports are open. So, I am thinking the correct solution to the problem is to simply remove the call to the iptables service script and always display the message that certain ports need to be open for cobblerd to function properly.
I would rather not give cobbler daemon the ability to play around with the firewall rules. I would rather have you suggest the user check the firewall if you have a problem.
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.