Description of problem: cobbler sync is blocked to create files in /var/lib/tftpboot/ Version-Release number of selected component (if applicable): rhel6 Satellite-5.4.1-RHEL6-re20110511.0 # rpm -q cobbler cobbler-2.0.7-8.el6sat.noarch # rpm -qa | grep selinux osa-dispatcher-selinux-5.9.38-1.el6sat.noarch selinux-policy-targeted-3.7.19-93.el6.noarch libselinux-2.0.94-5.el6.x86_64 selinux-policy-3.7.19-93.el6.noarch oracle-instantclient-selinux-10.2.0.19-2.el6sat.noarch spacewalk-monitoring-selinux-1.1.1-3.el6sat.noarch spacewalk-selinux-1.2.1-5.el6sat.noarch oracle-rhnsat-selinux-10.2.0.16-6.el6sat.noarch libselinux-utils-2.0.94-5.el6.x86_64 oracle-instantclient-sqlplus-selinux-10.2.0.19-2.el6sat.noarch libselinux-python-2.0.94-5.el6.x86_64 rh-tests-RHN-Satellite-Installer-Sanity-set-selinux-1.0-6.noarch libselinux-devel-2.0.94-5.el6.x86_64 oracle-nofcontext-selinux-0.1.23.25-3.el6sat.noarch How reproducible: always Steps to Reproduce: 1. cobbler sync Actual results: # cobbler sync task started: 2011-05-24_082023_sync task started (id=Sync, time=Tue May 24 08:20:23 2011) running pre-sync triggers cleaning trees removing: /var/www/cobbler/images/ks-rhel-x86_64-server-6-61 removing: /var/www/cobbler/images/ks-rhel-x86_64-server-6-60 removing: /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c Exception occured: <type 'exceptions.OSError'> Exception value: [Errno 13] Permission denied: '/var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c' Exception Info: File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1180, in rmfile os.unlink(path) Exception occured: <class 'cobbler.cexceptions.CX'> Exception value: 'Error deleting /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c' Exception Info: File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 95, in run rc = self._run(self) File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 184, in runner return self.remote.api.sync(self.options.get("verbose",False),logger=self.logger) File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 610, in sync return sync.run() File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 109, in run self.clean_trees() File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 192, in clean_trees utils.rmtree_contents(self.pxelinux_dir,logger=self.logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1192, in rmtree_contents rmtree(x,logger=logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1197, in rmtree return rmfile(path,logger=logger) File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1186, in rmfile raise CX(_("Error deleting %s") % path) !!! TASK FAILED !!! audit.log: type=AVC msg=audit(1306239512.406:360431): avc: denied { unlink } for pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933237 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file type=AVC msg=audit(1306239512.407:360432): avc: denied { write } for pid=2205 comm="cobblerd" name="pxelinux.cfg" dev=dm-0 ino=2493033 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.407:360432): avc: denied { remove_name } for pid=2205 comm="cobblerd" name="01-00-16-3e-41-60-0c" dev=dm-0 ino=2493005 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.407:360432): avc: denied { unlink } for pid=2205 comm="cobblerd" name="01-00-16-3e-41-60-0c" dev=dm-0 ino=2493005 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file type=AVC msg=audit(1306239512.408:360433): avc: denied { write } for pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-61" dev=dm-0 ino=2490463 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.408:360433): avc: denied { remove_name } for pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933237 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.409:360434): avc: denied { rmdir } for pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-61" dev=dm-0 ino=2490463 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.416:360435): avc: denied { add_name } for pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-60" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.416:360435): avc: denied { create } for pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-60" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.448:360436): avc: denied { add_name } for pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933101 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(1306239512.448:360436): avc: denied { link } for pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933101 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file type=AVC msg=audit(1306239512.472:360437): avc: denied { create } for pid=2205 comm="cobblerd" name="01-00-16-3e-7e-0a-45" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file type=AVC msg=audit(1306239512.472:360437): avc: denied { write } for pid=2205 comm="cobblerd" name="01-00-16-3e-7e-0a-45" dev=dm-0 ino=2491988 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file Expected results: no denial Additional info:
Taking.
How did you create the /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c file with content public_content_t?
(In reply to comment #3) > How did you create the /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c file > with content public_content_t? s/ content / type /
by: semanage fcontext -a -t public_content_t "/var/lib/tftpboot/.*" which is written is help and restorecon -r /var/lib/tftpboot/ - I did for to be sure, shouldn't I do that ?
Jan, in the reference guide (section 11.1.4.1) there is a semanage fcontext -a -t public_content_t "/tftpboot/.*" advised, which most probably applies on rhel5. Note that on a fresh rhel5 these is: # ls -ldZ /tftpboot/ drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot/ On the other hand on rhel6 we have # ls -ldZ /var/lib/tftpboot/ drwxr-xr-x. root root system_u:object_r:tftpdir_rw_t:s0 /var/lib/tftpboot/ In both cases, rhel5 & rhel6, the 'cobbler sync' does not tracebacks on a fresh installed Satellite 5.4.1. (*). The ultimate question is: 1) why we need public_content_t on rhel5 2) whether we need it on rhel6 as well or not If the second is not true, we need to cancel bug 706868. (*) To be precise, on fresh rhel6, there is another unrelated AVC denial. During 'cobbler sync', cobblerd is writing to /var/www/cobbler. type=AVC msg=audit(1306318466.014:523007): avc: denied { write } for pid=17557 comm="cobblerd" name="cobbler" dev=dm-0 ino=1968380 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
With cobbler-2.0.7-9, thanks to the change that went to bug 706857, cobbler check will no longer give the ill-advice about the semanage and public_content_t. In bug 706868 we now track the removal of this from documentation as well. Moving to MODIFIED/ON_QA -- in general, don't do any manual changes to your Satellite, everything is supposed to work out of box.
Well, the AVC from comment 0, is gone with cobbler cobbler-2.0.7-10.el6sat. On the other hand `cobbler sync' does trigger AVC denial. type=AVC msg=audit(1306403762.292:391551): avc: denied { write } for pid=24952 comm="cobblerd" name="cobbler" dev=dm-0 ino=405425 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir type=AVC msg=audit(1306403762.292:391551): avc: denied { remove_name } for pid=24952 comm="cobblerd" name="pub" dev=dm-0 ino=790672 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir # find /var -inum 790672 /var/lib/tftpboot/s390x # find /var -inum 405425 /var/www/cobbler Jan, I hesitate, If I should but the bugzilla to assigned or create a new. Considering quite general name of this ticker, I'd prefer to put this back to Assigned.
(In reply to comment #9) > Well, the AVC from comment 0, is gone with cobbler cobbler-2.0.7-10.el6sat. > On the other hand `cobbler sync' does trigger AVC denial. > > > type=AVC msg=audit(1306403762.292:391551): avc: denied { write } for > pid=24952 comm="cobblerd" name="cobbler" dev=dm-0 ino=405425 > scontext=unconfined_u:system_r:cobblerd_t:s0 > tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir > type=AVC msg=audit(1306403762.292:391551): avc: denied { remove_name } for > pid=24952 comm="cobblerd" name="pub" dev=dm-0 ino=790672 > scontext=unconfined_u:system_r:cobblerd_t:s0 > tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir > > # find /var -inum 790672 > /var/lib/tftpboot/s390x > # find /var -inum 405425 > /var/www/cobbler > > Jan, I hesitate, If I should but the bugzilla to assigned or create a new. > Considering quite general name of this ticker, I'd prefer to put this > back to Assigned. I believe this is some sort of residue from your previous installation of the older version of cobbler. If you switch to Permissive and run cobbler sync and let the thing actually remove the /var/www/cobbler/pub, then all subsequent cobbler sync should pass because the directory won't be there anymore. Moving back ON_QA.
Thanks for clarification, Jan. Command 'cobbler sync' in enforcing prior to the test has fixed it. Anyway, I'll check again on a fresh installation.
Jan, 'cobbler sync' on a fresh installation triggers the AVC. type=AVC msg=audit(1306482611.895:399920): avc: denied { write } for pid=9419 comm="cobblerd" name="cobbler" dev=dm-0 ino=1181993 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir # find /var/ -inum 1181993 /var/www/cobbler # rpm -qf /var/www/cobbler/pub cobbler-2.0.7-10.el6sat.noarch # ls -laZ /var/www/cobbler/ drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 . drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .. drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 aux drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 images drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 ks_mirror drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 links drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 localmirror drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 pub drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 rendered drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 repo_mirror drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 svc drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 web
Thanks. Cobbler really shouldn't be removing that pub directory, especially as the cobbler rpm owns it: # rpm -qf /var/www/cobbler/pub cobbler-2.0.7-8.el6sat.noarch
Fixed in Satellite thirdparty, fb52e31ea98ce4e3de121f7ac5b0c697205c112b. Tagged and built as cobbler-2.0.7-11.
Changing to Verified: The cobbler sync does not trigger any AVC denial. Well done! Verified against: cobbler-2.0.7-11.el6sat.noarch
Verified in stage w/ cobbler-2.0.7-11 -> release pending.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. https://rhn.redhat.com/errata/RHEA-2011-0875.html