Bug 664749 - New Cobbler policy may be too restrictive
Summary: New Cobbler policy may be too restrictive
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-21 14:44 UTC by Michael Cronenworth
Modified: 2011-05-13 18:32 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-80.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-13 18:32:05 UTC
Type: ---


Attachments (Terms of Use)
Module that allows access again (248 bytes, application/octet-stream)
2010-12-21 14:44 UTC, Michael Cronenworth
no flags Details

Description Michael Cronenworth 2010-12-21 14:44:33 UTC
Created attachment 469995 [details]
Module that allows access again

Description of problem: I have a cobbler server providing a RHEL 5.5 installer. The setup has worked great until loading the latest selinux-policy package(s). Now, after selecting RHEL 5.5 in the cobbler PXE menu, the RHEL installer says it cannot download stage2.img from my cobbler server.


Version-Release number of selected component (if applicable): 
selinux-policy-targeted-3.7.19-76.fc13.noarch
cobbler-2.0.3.1-4.fc13.noarch


How reproducible: Always


Steps to Reproduce:
1. Setup RHEL 5 installer profile
2. Have a bare metal system and boot off of PXE
3. Select RHEL 5 in Cobbler PXE menu
  
Actual results: Installer complains it cannot download necessary file.


Expected results: Installer installs.


Additional info:
# restorecon -Rv /var/www/cobbler
(produces no output to stdout, still errors during RHEL install)

Audit.log messages when the download error happens:
type=AVC msg=audit(1292942219.919:56046): avc:  denied  { getattr } for  pid=4084 comm="httpd" path="/var/www/cobbler/ks_mirror/rhel-server-5.5-x86_64/images/stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1292942219.919:56046): arch=c000003e syscall=4 success=no exit=-13 a0=7f2a33601450 a1=7fff6560cbe0 a2=7fff6560cbe0 a3=0 items=0 ppid=4079 pid=4084 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1292942219.919:56047): avc:  denied  { getattr } for  pid=4084 comm="httpd" path="/var/www/cobbler/ks_mirror/rhel-server-5.5-x86_64/images/stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1292942219.919:56047): arch=c000003e syscall=6 success=no exit=-13 a0=7f2a33e3a328 a1=7fff6560cbe0 a2=7fff6560cbe0 a3=1 items=0 ppid=4079 pid=4084 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Yes, I know I can create a temporary module to allow this, but I thought I would report it. After allowing the above audit messages, I received this message:
type=AVC msg=audit(1292942345.373:56049): avc:  denied  { read } for  pid=4085 comm="httpd" name="stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1292942345.373:56049): arch=c000003e syscall=2 success=no exit=-13 a0=7f2a3394c2d8 a1=80000 a2=0 a3=7f2a3394cff0 items=0 ppid=4079 pid=4085 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Allowing that audit message gives me this next:
type=AVC msg=audit(1292942491.806:56081): avc:  denied  { open } for  pid=4089 comm="httpd" name="stage2.img" dev=dm-2 ino=184507 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1292942491.806:56081): arch=c000003e syscall=2 success=no exit=-13 a0=7f2a33f95ae8 a1=80000 a2=0 a3=7f2a33f96800 items=0 ppid=4079 pid=4089 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7735 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Then the installer works like before. I'll attach the final module that I created.

Comment 1 Daniel Walsh 2010-12-21 15:19:23 UTC
This is allowed in Rawhide.

Comment 2 Michael Cronenworth 2010-12-21 15:24:44 UTC
(In reply to comment #1)
> This is allowed in Rawhide.

I noticed the F13 RPM changelog says:
* Wed Dec 01 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-74
[snip]
- Backport cobbler and tftpd policy from F14/Rawhide

Perhaps the changelog entry was made, but the actual patch was not committed?

Comment 3 Daniel Walsh 2010-12-21 15:32:17 UTC
Well it definitely looks like the change is not in the current pool.

Comment 4 Miroslav Grepl 2010-12-21 17:10:30 UTC
My fault, I am missing 

    cobbler_list_config(httpd_t)
    cobbler_read_config(httpd_t)
    cobbler_read_lib_files(httpd_t)


You can allow it for now using

# grep cobbler /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 5 Miroslav Grepl 2010-12-22 12:26:48 UTC
Fixed in selinux-policy-3.7.19-80.fc13


Note You need to log in before you can comment on or make changes to this bug.