Bug 708357
| Summary: | avc: denied { search } for comm="cobblerd" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Šimon Lukašík <slukasik> |
| Component: | Server | Assignee: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Status: | CLOSED ERRATA | QA Contact: | Šimon Lukašík <slukasik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 541 | CC: | cperry, dyordano, jhutar |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | spacewalk-setup-1.2.6-11 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-17 02:44:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 677501 | ||
Fixed in Spacewalk master, 00242dd1722b463915f9dd3ce4c8962fe82844f6 -- we shall set cobbler_use_nfs SELinux boolean. Cherry picked to SATELLITE-5.4. 1391cdf030d49feb7a5f51c09a486f95b42bb6d5. Tagged and built as spacewalk-setup-1.2.6-11. I confirm that cobbler_use_nfs boolean is the fix. However the solution:
if (seen_nfs and have_selinux)
/usr/sbin/setsebool -P cobbler_use_nfs on
in the setup.pl will not work for the deployments, when user mounts
the /var/satellite after the installation.
On the other hand, in the RHN Satellite documentation, I cannot found
the note about the nfs mountpoint. Moreover I failed to found
an appropriate KBase article (Searching for spacewalk_nfs_mountpoint).
I think we should have the
setsebool cobbler_use_nfs on
documented, whereever we have
setsebool spacewalk_nfs_mountpoint on
documented.
I just found
setsebool spacewalk_nfs_mountpoint on
in the RHN Satellite 5.3.0 release notes.
Moving to Verified. There is a bug 709100, to track the documentation. Re-Verified Satellite-5.4.1-RHEL6-re20110606.0-x86_64-embedded-oracle.iso spacewalk-setup-1.2.6-11.el6sat.noarch An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. https://rhn.redhat.com/errata/RHEA-2011-0875.html |
Description of problem: Cobblerd does not have an access to /var/satellite on nfs. Version-Release number of selected component (if applicable): RHN Satellite 5.4.1 on RHEL6 cobbler-2.0.7-10.el6sat.noarch spacewalk-selinux-1.2.1-5.el6sat.noarch How reproducible: always Steps to Reproduce: 1. mount your /var/satellite through nfs 2. /usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1 3. watch audit.log Actual results: type=AVC msg=audit(1306497900.246:453010): avc: denied { search } for pid=40357 comm="cobblerd" name="" dev=0:15 ino=33292289 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir Expected results: No AVC denial. Additional info: # find /var -inum 33292289 /var/satellite # ls -ldZ /var/satellite/rhn/ drwxr-xr-x. apache root system_u:object_r:nfs_t:s0 /var/satellite/rhn/