Bug 706857 - SELinux is preventing /usr/sbin/getsebool "read" access on booleans.
SELinux is preventing /usr/sbin/getsebool "read" access on booleans.
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Provisioning (Show other bugs)
541
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Šimon Lukašík
setroubleshoot_trace_hash:1e344471508...
:
Depends On: 617573
Blocks: 634222 sat541-blockers
  Show dependency treegraph
 
Reported: 2011-05-23 05:14 EDT by Šimon Lukašík
Modified: 2011-06-16 22:45 EDT (History)
13 users (show)

See Also:
Fixed In Version: cobbler-2.0.7-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 617573
Environment:
Last Closed: 2011-06-16 22:45:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Šimon Lukašík 2011-05-23 05:14:44 EDT
In the Satellite documentation (reference guide)

    11.1.5. Syncing and Starting the Cobbler Service

there is the 'cobbler check' command referenced. However with RHN Satellite
5.4.1 on rhel6.1 this command triggers AVC denial.

type=AVC msg=audit(1306140729.227:352895): avc:  denied  { read } for  pid=14322 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
libselinux-utils-2.0.94-5.el6.x86_64
cobbler-2.0.7-8.el6sat.noarch
selinux-policy-3.7.19-93.el6.noarch
spacewalk-selinux-1.2.1-5.el6sat.noarch




+++ This bug was initially created as a clone of Bug #617573 +++

Happened while running "cobbler check" which attempts to probe selinux in some ways to suggest setting booleans.


Summary:

SELinux is preventing /usr/sbin/getsebool "read" access on booleans.

Detailed Description:

SELinux denied access requested by getsebool. It is not expected that this
access is required by getsebool and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:cobblerd_t:s0
Target Context                system_u:object_r:security_t:s0
Target Objects                booleans [ dir ]
Source                        getsebool
Source Path                   /usr/sbin/getsebool
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libselinux-utils-2.0.90-5.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-37.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
                              UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 23 Jul 2010 09:11:08 AM EDT
Last Seen                     Fri 23 Jul 2010 09:11:08 AM EDT
Local ID                      d5bd6fd8-fd6a-4fa3-86cf-6a4bd3ef1678
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1279890668.345:29611): avc:  denied  { read } for  pid=12827 comm="getsebool" name="booleans" dev=selinuxfs ino=19 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1279890668.345:29611): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaa753650 a1=90800 a2=367b407f00 a3=fffffff6 items=0 ppid=5950 pid=12827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="getsebool" exe="/usr/sbin/getsebool" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)



Hash String generated from  catchall,getsebool,cobblerd_t,security_t,dir,read
audit2allow suggests:

#============= cobblerd_t ==============
allow cobblerd_t security_t:dir read;

--- Additional comment from dwalsh@redhat.com on 2010-07-23 15:48:03 CEST ---

cobbler should not be hard coding SELinux checks into itself.  Others might write different policy decisions and cobbler can run fine with different labelling.

We need to fix the labeling in the selinux policy package but do not check with the tool.

If you want to check the state of booleans, (Not a great idea) you can use the selinux python bindings.

   import selinux
   def check_selinux(self,status):
       """
       Suggests various SELinux rules changes to run Cobbler happily with
       SELinux in enforcing mode.  FIXME: this method could use some
       refactoring in the future.
       """
       enabled = (selinux.is_selinux_enabeled() == 0)
       if enabled:
          if selinux.security_get_boolean_active("httpd_can_network_connect") != 1:
             status.append(_("Must enable a selinux boolean to enable vital web services components, run: setsebool -P httpd_can_network_connect true"))
          if selinux.security_get_boolean_active("rsync_disable_trans") != 1:
             status.append(_("Must enable the cobbler import and replicate commands, run: setsebool -P rsync_disable_trans=1"))

As an example of why this is bad.  rsync_disable_trans does not exist in F13 or RHEL6.

--- Additional comment from dwalsh@redhat.com on 2010-07-23 15:48:30 CEST ---

*** Bug 617574 has been marked as a duplicate of this bug. ***

--- Additional comment from dwalsh@redhat.com on 2010-11-18 22:38:28 CET ---

This bug is present in F14, can we get some progress on it.

--- Additional comment from fedora-admin-xmlrpc@redhat.com on 2011-01-03 15:34:19 CET ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

--- Additional comment from slukasik@redhat.com on 2011-05-23 11:02:22 CEST ---

*** Bug 668536 has been marked as a duplicate of this bug. ***
Comment 2 Jan Pazdziora 2011-05-25 05:12:56 EDT
Taking.
Comment 3 Jan Pazdziora 2011-05-25 05:46:53 EDT
The self.check_selinux(status) was now disabled in Satellite thirdparty, d4e9576809f43a100e33923a987151cb242fe305, as Dan W. says we really shouldn't try to outsmart the default policy or some local settings.

Tagged and built as cobbler-2.0.7-9.

With SELinux in Enforcing, the AVC denial should now be gone.

There are still AVC denials like

type=AVC msg=audit(1306316547.253:514252): avc:  denied  { read } for  pid=28985 comm="cat" name="ip_tables_names" dev=proc ino=4026532188 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1306316547.253:514252): avc:  denied  { open } for  pid=28985 comm="cat" name="ip_tables_names" dev=proc ino=4026532188 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1306316547.253:514253): avc:  denied  { getattr } for  pid=28985 comm="cat" path="/proc/28985/net/ip_tables_names" dev=proc ino=4026532188 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1306316547.256:514254): avc:  denied  { search } for  pid=28976 comm="iptables" name="lock" dev=dm-0 ino=1704685 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1306316547.258:514255): avc:  denied  { create } for  pid=28986 comm="iptables" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:system_r:cobblerd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1306316547.258:514255): avc:  denied  { net_raw } for  pid=28986 comm="iptables" capability=13  scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:system_r:cobblerd_t:s0 tclass=capability
type=AVC msg=audit(1306316547.258:514256): avc:  denied  { getopt } for  pid=28986 comm="iptables" lport=255 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:system_r:cobblerd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1306316547.258:514256): avc:  denied  { net_admin } for  pid=28986 comm="iptables" capability=12  scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:system_r:cobblerd_t:s0 tclass=capability

in Permissive but I don't consider them a blocker (and I assume the upstream will eventually come up with some solid solution).
Comment 5 Šimon Lukašík 2011-05-26 05:50:25 EDT
Moving to Verified:

With cobbler-2.0.7-10.el6sat.noarch the 'cobbler check' command does not
trigger any AVC.
Comment 6 Tomas Lestach 2011-05-31 11:27:46 EDT
# getenforce 
Enforcing
# cobbler check > /dev/null 
# echo $?
0
# grep denied /var/log/audit/audit.log 
#

Stage validated on Satellite-5.4.1-RHEL6-re20110530.0
Comment 7 Clifford Perry 2011-06-16 22:45:26 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html

Note You need to log in before you can comment on or make changes to this bug.