Created attachment 469995 [details] Module that allows access again Description of problem: I have a cobbler server providing a RHEL 5.5 installer. The setup has worked great until loading the latest selinux-policy package(s). Now, after selecting RHEL 5.5 in the cobbler PXE menu, the RHEL installer says it cannot download stage2.img from my cobbler server. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-76.fc13.noarch cobbler-2.0.3.1-4.fc13.noarch How reproducible: Always Steps to Reproduce: 1. Setup RHEL 5 installer profile 2. Have a bare metal system and boot off of PXE 3. Select RHEL 5 in Cobbler PXE menu Actual results: Installer complains it cannot download necessary file. Expected results: Installer installs. Additional info: # restorecon -Rv /var/www/cobbler (produces no output to stdout, still errors during RHEL install) Audit.log messages when the download error happens: type=AVC msg=audit(1292942219.919:56046): avc: denied { getattr } for pid=4084 comm="httpd" path="/var/www/cobbler/ks_mirror/rhel-server-5.5-x86_64/images/stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1292942219.919:56046): arch=c000003e syscall=4 success=no exit=-13 a0=7f2a33601450 a1=7fff6560cbe0 a2=7fff6560cbe0 a3=0 items=0 ppid=4079 pid=4084 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1292942219.919:56047): avc: denied { getattr } for pid=4084 comm="httpd" path="/var/www/cobbler/ks_mirror/rhel-server-5.5-x86_64/images/stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1292942219.919:56047): arch=c000003e syscall=6 success=no exit=-13 a0=7f2a33e3a328 a1=7fff6560cbe0 a2=7fff6560cbe0 a3=1 items=0 ppid=4079 pid=4084 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Yes, I know I can create a temporary module to allow this, but I thought I would report it. After allowing the above audit messages, I received this message: type=AVC msg=audit(1292942345.373:56049): avc: denied { read } for pid=4085 comm="httpd" name="stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1292942345.373:56049): arch=c000003e syscall=2 success=no exit=-13 a0=7f2a3394c2d8 a1=80000 a2=0 a3=7f2a3394cff0 items=0 ppid=4079 pid=4085 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Allowing that audit message gives me this next: type=AVC msg=audit(1292942491.806:56081): avc: denied { open } for pid=4089 comm="httpd" name="stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1292942491.806:56081): arch=c000003e syscall=2 success=no exit=-13 a0=7f2a33f95ae8 a1=80000 a2=0 a3=7f2a33f96800 items=0 ppid=4079 pid=4089 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Then the installer works like before. I'll attach the final module that I created.
This is allowed in Rawhide.
(In reply to comment #1) > This is allowed in Rawhide. I noticed the F13 RPM changelog says: * Wed Dec 01 2010 Miroslav Grepl <mgrepl> 3.7.19-74 [snip] - Backport cobbler and tftpd policy from F14/Rawhide Perhaps the changelog entry was made, but the actual patch was not committed?
Well it definitely looks like the change is not in the current pool.
My fault, I am missing cobbler_list_config(httpd_t) cobbler_read_config(httpd_t) cobbler_read_lib_files(httpd_t) You can allow it for now using # grep cobbler /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Fixed in selinux-policy-3.7.19-80.fc13