621095 – Multiple cobblerd_t denials on Fedora-13 running standard Spacewalk installation

Bug 621095 - Multiple cobblerd_t denials on Fedora-13 running standard Spacewalk installation

Summary: Multiple cobblerd_t denials on Fedora-13 running standard Spacewalk installation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:	620503
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-04 08:46 UTC by Milan Zázrivec
Modified:	2010-08-20 01:44 UTC (History)
CC List:	0 users
Fixed In Version:	selinux-policy-3.6.32-120.fc12
Clone Of:	620503
Environment:
Last Closed:	2010-08-20 01:44:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milan Zázrivec 2010-08-04 08:46:56 UTC

Cloning for Fedora-12 (supported platform for Spacewalk 1.1), showing
the same denials.

+++ This bug was initially created as a clone of Bug #620503 +++

Created an attachment (id=436078)
SELinux denials

Description of problem:
* Spacewalk 1.1 installation @ Fedora 13
* Multiple SELinux denials

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-39.fc13.noarch
cobbler-2.0.3.1-4.fc13.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install Spacewalk 1.1 @ Fedora 13
2. # grep denied /var/log/audit/audit.log | grep cobblerd_t
  
Actual results:
Multiple denials (see attachment).

Expected results:
No denials

Additional info:
There's xml-rpc communication going on between cobbler & taskomatic
(a cron-like daemon, part of standard Spacewalk / RHN Satellite
installation), which is denied by current selinux-policy.

The cobbler code allowing Spacewalk authentication:
/usr/lib/python2.6/site-packages/cobbler/modules/authn_spacewalk.py

Seeing this functionality is part of standard cobbler and selinux-policy
contains rules for cobblerd_t, this should (I believe) be allowed in
standard Fedora selinux-policy.

--- Additional comment from dwalsh on 2010-08-03 13:34:10 EDT ---

You might need to turn on some booleans.

 getsebool -a | grep cobbler

--- Additional comment from mzazrivec on 2010-08-03 15:25:38 EDT ---

# getsebool -a | grep cobbler
cobbler_anon_write --> on
httpd_can_network_connect_cobbler --> on
# grep denied /var/log/audit/audit.log |grep cobbler
type=AVC msg=audit(1280895846.661:47): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895846.665:48): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895846.665:49): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895846.665:50): avc:  denied  { create } for  pid=1612 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895846.665:51): avc:  denied  { name_connect } for  pid=1612 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1280895846.665:52): avc:  denied  { name_connect } for  pid=1612 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1280895900.033:62): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895900.033:63): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895900.033:64): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=udp_socket
type=AVC msg=audit(1280895900.033:65): avc:  denied  { create } for  pid=1653 comm="cobblerd" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:system_r:cobblerd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1280895900.033:66): avc:  denied  { name_connect } for  pid=1653 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1280895900.035:67): avc:  denied  { name_connect } for  pid=1653 comm="cobblerd" dest=443 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

--- Additional comment from mgrepl on 2010-08-04 03:58:52 EDT ---

We have these rules in Rawhide. I will add it to F13.

Comment 1 Daniel Walsh 2010-08-04 17:31:48 UTC

Looks like we got to back port some policy from F13.

Comment 2 Miroslav Grepl 2010-08-05 11:33:37 UTC

Fixed in selinux-policy-3.6.32-120.fc12

Comment 3 Fedora Update System 2010-08-05 13:18:27 UTC

selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12

Comment 4 Fedora Update System 2010-08-05 23:22:35 UTC

selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12

Comment 5 Fedora Update System 2010-08-20 01:38:48 UTC

selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.