Description of problem: Cobblerd does not have an access to /var/satellite on nfs. Version-Release number of selected component (if applicable): RHN Satellite 5.4.1 on RHEL6 cobbler-2.0.7-10.el6sat.noarch spacewalk-selinux-1.2.1-5.el6sat.noarch How reproducible: always Steps to Reproduce: 1. mount your /var/satellite through nfs 2. /usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1 3. watch audit.log Actual results: type=AVC msg=audit(1306497900.246:453010): avc: denied { search } for pid=40357 comm="cobblerd" name="" dev=0:15 ino=33292289 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir Expected results: No AVC denial. Additional info: # find /var -inum 33292289 /var/satellite # ls -ldZ /var/satellite/rhn/ drwxr-xr-x. apache root system_u:object_r:nfs_t:s0 /var/satellite/rhn/
Fixed in Spacewalk master, 00242dd1722b463915f9dd3ce4c8962fe82844f6 -- we shall set cobbler_use_nfs SELinux boolean.
Cherry picked to SATELLITE-5.4. 1391cdf030d49feb7a5f51c09a486f95b42bb6d5. Tagged and built as spacewalk-setup-1.2.6-11.
I confirm that cobbler_use_nfs boolean is the fix. However the solution: if (seen_nfs and have_selinux) /usr/sbin/setsebool -P cobbler_use_nfs on in the setup.pl will not work for the deployments, when user mounts the /var/satellite after the installation. On the other hand, in the RHN Satellite documentation, I cannot found the note about the nfs mountpoint. Moreover I failed to found an appropriate KBase article (Searching for spacewalk_nfs_mountpoint). I think we should have the setsebool cobbler_use_nfs on documented, whereever we have setsebool spacewalk_nfs_mountpoint on documented.
I just found setsebool spacewalk_nfs_mountpoint on in the RHN Satellite 5.3.0 release notes.
Moving to Verified. There is a bug 709100, to track the documentation.
Re-Verified Satellite-5.4.1-RHEL6-re20110606.0-x86_64-embedded-oracle.iso spacewalk-setup-1.2.6-11.el6sat.noarch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. https://rhn.redhat.com/errata/RHEA-2011-0875.html