Bug 666091 - Issue with selinux labels
Summary: Issue with selinux labels
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cobbler
Version: el5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: James C.
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-28 22:55 UTC by Orion Poplawski
Modified: 2012-06-06 13:42 UTC (History)
5 users (show)

Fixed In Version: 2.2.3-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-06 13:42:10 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Orion Poplawski 2010-12-28 22:55:38 UTC
Description of problem:

cobbler-check says to run:

/usr/sbin/semanage fcontext -a -t public_content_t "/tftpboot/.*"

which results in:

/usr/sbin/semanage: File context for /tftpboot/.* already defined

Version-Release number of selected component (if applicable):
cobbler-2.0.10-1.el5
selinux-policy-2.4.6-279.el5_5.2

CentOS 5.5

Comment 1 Orion Poplawski 2010-12-28 22:56:19 UTC
Also:

# /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*"
libsepol.context_from_record: type httpd_sys_content_rw_t is not defined
libsepol.context_from_record: could not create context structure
libsemanage.validate_handler: invalid context system_u:object_r:httpd_sys_content_rw_t:s0 specified for /var/lib/cobbler/webui_sessions/.* [all files]
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not add file context for /var/lib/cobbler/webui_sessions/.*

Comment 2 Scott J Henson 2010-12-29 03:46:58 UTC
Can I get a copy of your /etc/selinux/config please?

Comment 3 Orion Poplawski 2010-12-29 16:18:12 UTC
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

Comment 4 Scott J Henson 2010-12-31 07:01:20 UTC
Are these causing any issues with the operation of cobbler or is it a documentation issue?

Comment 5 James C. 2012-04-17 01:50:50 UTC
This bug is quite old, is it still an issue?

Comment 6 Orion Poplawski 2012-04-17 15:10:46 UTC
Well, cobbler check still says:

1 : you need to set some SELinux content rules to ensure cobbler serves content correctly in your SELinux environment, run the following: /usr/sbin/semanage fcontext -a -t public_content_t "/tftpboot/.*" && /usr/sbin/semanage fcontext -a -t public_content_t "/var/www/cobbler"/images/.*
2 : you need to set some SELinux rules if you want to use cobbler-web (an optional package), run the following: /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*"

And I think it's a bad idea for a package to be requesting people to change the default labelling.  cobbler seems to work fine with the default labelling.

Comment 7 James C. 2012-04-17 22:42:31 UTC
Ok, so this looks like the same issue Robert Jacobson had reported on the mailing list (in the 2.2.1-1 release thread). Quote:

One more item (bug?); I don't know if this is system-specific to
RHEL/CentOS or not:

Cobbler check says to run this:

   /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t
"/var/lib/cobbler/webui_sessions/.*"

But in my audit log (and sealert), the context should be
   httpd_sys_rw_content_t
NOT
   httpd_sys_content_rw_t
as reported by "cobbler check"

--------------------------------------


That should be an easy fix.

Comment 8 Orion Poplawski 2012-04-18 17:14:32 UTC
My point is that cobbler should not be asking the user to make changes to the selinux labelling at all.  The needed labelling should be made part of the standard selinux policy.

Comment 9 James C. 2012-06-06 13:42:10 UTC
Version 2.2.3-1 has been released, which corrects this issue.


Note You need to log in before you can comment on or make changes to this bug.