Bug 708357 - avc: denied { search } for comm="cobblerd" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
Summary: avc: denied { search } for comm="cobblerd" scontext=unconfined_u:system_r:...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 541
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Šimon Lukašík
URL:
Whiteboard:
Depends On:
Blocks: sat541-blockers
TreeView+ depends on / blocked
 
Reported: 2011-05-27 12:03 UTC by Šimon Lukašík
Modified: 2011-06-17 02:44 UTC (History)
3 users (show)

Fixed In Version: spacewalk-setup-1.2.6-11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-17 02:44:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Šimon Lukašík 2011-05-27 12:03:16 UTC 
Description of problem:
Cobblerd does not have an access to /var/satellite on nfs.


Version-Release number of selected component (if applicable):
RHN Satellite 5.4.1 on RHEL6
cobbler-2.0.7-10.el6sat.noarch
spacewalk-selinux-1.2.1-5.el6sat.noarch

How reproducible:
always

Steps to Reproduce:
1. mount your /var/satellite through nfs
2. /usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1
3. watch audit.log
  
Actual results:
type=AVC msg=audit(1306497900.246:453010): avc:  denied  { search } for  pid=40357 comm="cobblerd" name="" dev=0:15 ino=33292289 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

Expected results:
No AVC denial.

Additional info:
# find /var -inum 33292289
/var/satellite
# ls -ldZ /var/satellite/rhn/
drwxr-xr-x. apache root system_u:object_r:nfs_t:s0       /var/satellite/rhn/
Comment 2 Jan Pazdziora 2011-05-27 14:19:32 UTC 
Fixed in Spacewalk master, 00242dd1722b463915f9dd3ce4c8962fe82844f6 -- we shall set cobbler_use_nfs SELinux boolean.
Comment 3 Jan Pazdziora 2011-05-27 14:35:03 UTC 
Cherry picked to SATELLITE-5.4. 1391cdf030d49feb7a5f51c09a486f95b42bb6d5.

Tagged and built as spacewalk-setup-1.2.6-11.
Comment 5 Šimon Lukašík 2011-05-30 10:39:43 UTC 
I confirm that cobbler_use_nfs boolean is the fix. However the solution:

    if (seen_nfs and have_selinux)
      /usr/sbin/setsebool -P cobbler_use_nfs on

in the setup.pl will not work for the deployments, when user mounts
the /var/satellite after the installation.

On the other hand, in the RHN Satellite documentation, I cannot found
the note about the nfs mountpoint. Moreover I failed to found
an appropriate KBase article (Searching for spacewalk_nfs_mountpoint).

I think we should have the

    setsebool cobbler_use_nfs on

documented, whereever we have

    setsebool spacewalk_nfs_mountpoint on

documented.
Comment 6 Šimon Lukašík 2011-05-30 10:43:35 UTC 
I just found 

    setsebool spacewalk_nfs_mountpoint on

in the RHN Satellite 5.3.0 release notes.
Comment 7 Šimon Lukašík 2011-05-30 15:48:33 UTC 
Moving to Verified.

There is a bug 709100, to track the documentation.
Comment 8 Dimitar Yordanov 2011-06-09 13:25:09 UTC 
Re-Verified
Satellite-5.4.1-RHEL6-re20110606.0-x86_64-embedded-oracle.iso
spacewalk-setup-1.2.6-11.el6sat.noarch
Comment 9 Clifford Perry 2011-06-17 02:44:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html
Note You need to log in before you can comment on or make changes to this bug.