Description of problem: There is selinux denial during ks distro creation. Version-Release number of selected component (if applicable): $ rpm -qa | grep selinux oracle-instantclient-selinux-10.2-18.fc13.noarch selinux-policy-targeted-3.7.19-49.fc13.noarch osa-dispatcher-selinux-5.9.38-1.fc13.noarch libselinux-utils-2.0.90-5.fc13.x86_64 spacewalk-selinux-1.1.1-1.fc13.noarch oracle-nofcontext-selinux-0.1-23.17.fc13.noarch oracle-xe-selinux-10.2-17.fc13.noarch libselinux-devel-2.0.90-5.fc13.x86_64 libselinux-python-2.0.90-5.fc13.x86_64 spacewalk-monitoring-selinux-1.1.1-1.fc13.noarch selinux-policy-3.7.19-49.fc13.noarch libselinux-2.0.90-5.fc13.x86_64 oracle-instantclient-sqlplus-selinux-10.2-18.fc13.noarch $ rpm -q cobbler cobbler-2.0.3.1-4.fc13.noarch How reproducible: always Steps to Reproduce: 1. prepare some folder /test with /tmp/test `-- images `-- pxeboot |-- initrd.img `-- vmlinuz 2. webUI: create your own distro 3. failure: 'The kernel could not be found at the specified location' Actual results: type=AVC msg=audit(1283167084.527:34268): avc: denied { link } for pid=2762 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=2626150 scontext=system_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1283167084.528:34269): avc: denied { write } for pid=2762 comm="cobblerd" name="images" dev=dm-0 ino=1056234 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=dir type=AVC msg=audit(1283167084.528:34269): avc: denied { add_name } for pid=2762 comm="cobblerd" name="ks-bug493176-228e:1:SpacewalkDefaultOrganization" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=dir type=AVC msg=audit(1283167084.528:34269): avc: denied { create } for pid=2762 comm="cobblerd" name="ks-bug493176-228e:1:SpacewalkDefaultOrganization" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=dir Expected results: no selinux denial Additional info:
Mass-moving to space13.
FYI this bug is still present on sw12 installed on F13: type=AVC msg=audit(1290595671.434:46358): avc: denied { write } for pid=26481 comm="cobblerd" name="cobbler" dev=dm-0 ino=270738 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1290595671.434:46358): avc: denied { add_name } for pid=26481 comm="cobblerd" name="rendered" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1290595671.434:46358): avc: denied { create } for pid=26481 comm="cobblerd" name="rendered" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1290595671.439:46359): avc: denied { link } for pid=26481 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=794835 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file -- location of distro is in tmp directory -- I want to point out that this works well on rhel5 but not on F13
The real fix is to chcon the /test to cobbler_tmp_t or some similar type which cobbler can read. The problem only appears on Fedora because on RHEL 5, cobblerd is running unconfined.
This bug has been fixed in Spacewalk 1.3.