702274 – AVC denial: cobbler getattr on /var/lib/rhn/kickstarts/wizard/ksname-kvm

Bug 702274 - AVC denial: cobbler getattr on /var/lib/rhn/kickstarts/wizard/ksname-kvm

Summary: AVC denial: cobbler getattr on /var/lib/rhn/kickstarts/wizard/ksname-kvm

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Provisioning
Sub Component:
Version:	541
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michael Mráka
QA Contact:	Šimon Lukašík
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	703064 (view as bug list)
Depends On:
Blocks:	sat541-blockers 694468
TreeView+	depends on / blocked

Reported:	2011-05-05 09:02 UTC by Šimon Lukašík
Modified:	2011-06-17 02:43 UTC (History)
CC List:	6 users (show)
Fixed In Version:	spacewalk-selinux-1.2.1-5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-17 02:43:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
snippet from catalina.out (9.68 KB, text/plain) 2011-05-05 09:03 UTC, Šimon Lukašík	no flags	Details
View All

Description Šimon Lukašík 2011-05-05 09:02:30 UTC

Description of problem:
Due to an AVC denial, cobbler is unable to getattr() on
/var/lib/rhn/kickstarts/wizard/ksname-kvm. As a result,
user is unable to create kickstart profile through API.

Version-Release number of selected component (if applicable):
Satellite.5.4.1 on RHEL6

How reproducible:
1 of 1 retrials.


Steps to Reproduce:
1. satellite-sync -c rhel-${arch}-server-6 \
   -c rhn-tools-rhel-${arch}-server-6
2. register a client system
3. add virtualization_host entitlement to the client
4. API client.kickstart.createProfile()


Actual results:
xmlrpclib.Fault: <Fault -1: 'redstone.xmlrpc.XmlRpcFault:
unhandled internal exception: XmlRpcException calling cobbler.'>

Expected results:
PASS

Additional info:
Regression against Satellite 5.4.0 on RHEL5.

Comment 1 Šimon Lukašík 2011-05-05 09:03:25 UTC

Created attachment 497012 [details]
snippet from catalina.out

Comment 2 Šimon Lukašík 2011-05-05 09:04:13 UTC

type=AVC msg=audit(1304585307.620:287728): avc:  denied  { getattr } for  pid=7764 comm="cobblerd" path="/var/lib/rhn/kickstarts/wizard/ksname-kvm-1--1.cfg" dev=dm-0 ino=3014681 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1304585341.040:287729): avc:  denied  { getattr } for  pid=7798 comm="cobblerd" path="/var/lib/rhn/kickstarts/wizard/ksname-kvm-1--1.cfg" dev=dm-0 ino=3014681 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1304585400.520:287730): avc:  denied  { getattr } for  pid=7846 comm="cobblerd" path="/var/lib/rhn/kickstarts/wizard/ksname-kvm-1--1.cfg" dev=dm-0 ino=3014681 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

Comment 3 Šimon Lukašík 2011-05-05 09:08:42 UTC

The following are additional AVC denials, which has occurred prior
the described failure.


type=AVC msg=audit(1304429820.302:276704): avc:  denied  { search } for  pid=29144 comm="cobblerd" name="satellite" dev=dm-0 ino=2886166 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.302:276704): avc:  denied  { search } for  pid=29144 comm="cobblerd" name="rhn" dev=dm-0 ino=2886219 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.302:276704): avc:  denied  { getattr } for  pid=29144 comm="cobblerd" path="/var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/vmlinuz" dev=dm-0 ino=3028813 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=file
type=AVC msg=audit(1304429820.396:276705): avc:  denied  { getattr } for  pid=29147 comm="cobblerd" path="/var/satellite" dev=dm-0 ino=2886166 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.396:276706): avc:  denied  { getattr } for  pid=29147 comm="cobblerd" path="/var/satellite/rhn" dev=dm-0 ino=2886219 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=dir
type=AVC msg=audit(1304429820.399:276707): avc:  denied  { link } for  pid=29147 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=3028813 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:spacewalk_data_t:s0 tclass=file

Comment 6 Martin Minar 2011-05-09 11:56:28 UTC

*** Bug 703064 has been marked as a duplicate of this bug. ***

Comment 8 Michael Mráka 2011-05-10 09:42:54 UTC

Fixed in spacewalk master by
commit c7030d3f79f5ee4a77900b455bcdd79313865129
    702274 - restore kickstart files context
commit 67aa9aadb05d3875c483fc926aa5e80c4fc5ae55
    702274 - fixed context of kickstart configs
commit 121140517b765134eeb56caff84fdbb88247ccf3
    702274 - allow cobblerd_t to read spacewalk_data_t

Fixed spacewalk package: spacewalk-selinux-1.5.1-1

Comment 9 Michael Mráka 2011-05-10 10:10:44 UTC

Backported to SATELLITE-5.4 as
commit 13d48bb464d7a043846b6e519a0632e918b292d5
    702274 - restore kickstart files context 
    Conflicts:    
        selinux/spacewalk-selinux/spacewalk-selinux-enable
commit a50ee804bce9cf63fa3543def907118ab5c5000d
    702274 - fixed context of kickstart configs
commit 8055cebc4ee54f466eb9e569f05fc17ceca467c9
    702274 - allow cobblerd_t to read spacewalk_data_t
    Conflicts:    
        selinux/spacewalk-selinux/spacewalk.te

Comment 11 Jan Pazdziora (Red Hat) 2011-05-10 14:59:03 UTC

Had to fix unconfined_u error on RHEL 5, Spacewalk master, 5df365a25f7a344b31fb8f24ed4a43a1db177516.

Pulling from ON_QA.

Comment 13 Jan Pazdziora (Red Hat) 2011-05-10 15:28:20 UTC

(In reply to comment #11)
> Had to fix unconfined_u error on RHEL 5, Spacewalk master,
> 5df365a25f7a344b31fb8f24ed4a43a1db177516.
> 
> Pulling from ON_QA.

Cherry picked to SATELLITE-5.4, e08f8d4656432a984867b9183b8525c63ef14f66.

Tagged and built as spacewalk-selinux-1.2.1-5.

Comment 15 Šimon Lukašík 2011-05-17 10:04:34 UTC

Changing to verified:

On rhel6 with the latest spacewalk-selinux package no AVC denial occurs
during the kickstart of virtualized guest through Satellite.

Testing procedure:
 - Automated test

Verified against:
spacewalk-selinux-1.2.1-5.el6sat

Comment 16 Milan Zázrivec 2011-06-08 10:05:56 UTC

Verified in stage w/ spacewalk-selinux-1.2.1-5 -> release pending.

Comment 17 Clifford Perry 2011-06-17 02:43:20 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html

Note You need to log in before you can comment on or make changes to this bug.