Bug 813206 - Default Spacewalk 1.7 install - selinux prevents 'cobbler sync'
Default Spacewalk 1.7 install - selinux prevents 'cobbler sync'
Product: Fedora EPEL
Classification: Fedora
Component: cobbler (Show other bugs)
x86_64 Linux
high Severity urgent
: ---
: ---
Assigned To: James C.
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-04-17 04:50 EDT by Morgan Cox
Modified: 2012-06-06 08:32 EDT (History)
8 users (show)

See Also:
Fixed In Version: 2.2.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-06 08:32:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Morgan Cox 2012-04-17 04:50:57 EDT
Description of problem: I have done a default install on a Centos 6 server as outlined 


By default selinux is preventing me doing a 'cobbler sync'

Version-Release number of selected component (if applicable):


How reproducible: 100% on both i386 and x86_64 servers

Steps to Reproduce:
1. Install spacewalk 
2. Setup spacewalk
3. try to cobbler sync
Actual results:

[root@spacewalk ~]# cobbler sync
task started: 2012-04-17_095020_sync
task started (id=Sync, time=Tue Apr 17 09:50:20 2012)
running pre-sync triggers
cleaning trees
mkdir: /var/www/cobbler/rendered
Exception occured: <type 'exceptions.OSError'>
Exception value: [Errno 13] Permission denied: '/var/www/cobbler/rendered'
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1280, in mkdir
    return os.makedirs(path,mode)
   File "/usr/lib64/python2.6/os.py", line 157, in makedirs
    mkdir(name, mode)

Exception occured: <type 'exceptions.TypeError'>
Exception value: not all arguments converted during string formatting
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 93, in run
    rc = self._run(self)
   File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 188, in runner
    return self.remote.api.sync(self.options.get("verbose",False),logger=self.logger)
   File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 701, in sync
    return sync.run()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 110, in run
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 208, in clean_trees
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 176, in make_tftpboot
   File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1285, in mkdir
    raise CX(_("Error creating") % path)

Expected results:

cobbler sync should work fine without disabling selinux

Additional info:
Comment 1 Jan Pazdziora 2012-04-17 04:59:42 EDT
What are the AVC denials in /var/log/audit/audit.log?
Comment 2 Morgan Cox 2012-04-17 05:23:20 EDT

type=AVC msg=audit(1334654492.334:43893): avc:  denied  { write } for  pid=3403 comm="cobblerd" name="cobbler" dev=md2 ino=2229490 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1334654492.334:43893): arch=c000003e syscall=83 success=no exit=-13 a0=7fe3cc0008c0 a1=1ed a2=3e687b3dc8 a3=7fe3dabec6c8 items=0 ppid=1 pid=3403 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null)

(I have never really understood SELINUX logs to be honest.....)
Comment 3 Jan Pazdziora 2012-04-17 05:37:17 EDT
Moving to Fedora EPEL / cobbler -- the AVC denial does not show any types / directories owned by Spacewalk.
Comment 4 Jan Pazdziora 2012-04-20 08:44:45 EDT
The problem seems to be caused by the fact that unlike the 2.0 rpm, the 2.2 does not contain all the subdirectories of /var/www/cobbler that cobbler would like to use:

$ rpm -qlp cobbler-2.2.2-1.el6.noarch.rpm | grep rendered
$ rpm -qlp cobbler-2.0.11-2.el6.noarch.rpm | grep rendered

If the rpm contained them, they'd be created with correct SELinux context (cobbler_var_lib_t, most probably) upon rpm installation and the daemon would not attempt to create them.
Comment 5 Miroslav Grepl 2012-04-27 08:40:13 EDT
We have more issue.

=> there are wrong instructions

2. /var/www/cobbler/rendered needs to be owned by cobbler package so it needs to be part of payload

3. probably other issues

had you tested it with SELinux before you pushed a new version of cobbler?

We need to fix it ASAP. So any chance you could revert these changes?

RHEL6.3 Beta has been published, so this not a good time to make big changes in the policy.
Comment 6 James C. 2012-05-21 21:00:37 EDT
I've corrected this in the cobbler.spec and setup.py file, so things should be installed correctly. This patch will be included in cobbler 2.2.3:

For now, manually creating the directory and running restorecon on it should get you up and running. If not please open a new issue on the official github issue tracker for cobbler: https://github.com/cobbler/cobbler/issues

# from master branch:

$ rpm -qif /var/www/cobbler/rendered|grep ^Name
Name        : cobbler

commit 285e3b5183b3b36576a0a60830d5eeaae57c428a
Author: James Cammarata <jimi@sngx.net>
Date:   Mon May 21 19:53:42 2012 -0500

    BUGFIX - adding some untracked directories and the new augeas lense to the setup.py and cobbler.spec files
Comment 7 James C. 2012-05-21 21:38:48 EDT
*** Bug 819497 has been marked as a duplicate of this bug. ***
Comment 8 James C. 2012-06-06 08:32:21 EDT
2.2.3-1 has been released, which resolves this bug.

Note You need to log in before you can comment on or make changes to this bug.