813206 – Default Spacewalk 1.7 install - selinux prevents 'cobbler sync'

Bug 813206 - Default Spacewalk 1.7 install - selinux prevents 'cobbler sync'

Summary: Default Spacewalk 1.7 install - selinux prevents 'cobbler sync'

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	cobbler
Sub Component:
Version:	el6
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	---
Assignee:	James C.
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-17 08:50 UTC by Morgan Cox
Modified:	2012-06-06 12:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	2.2.3
Clone Of:
Environment:
Last Closed:	2012-06-06 12:32:21 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Morgan Cox 2012-04-17 08:50:57 UTC

Description of problem: I have done a default install on a Centos 6 server as outlined 

https://fedorahosted.org/spacewalk/wiki/HowToInstall

By default selinux is preventing me doing a 'cobbler sync'


Version-Release number of selected component (if applicable):

spacewalk-postgresql-1.7.3-1.el6.noarch
cobbler-2.2.1-1.el6.noarch


How reproducible: 100% on both i386 and x86_64 servers


Steps to Reproduce:
1. Install spacewalk 
2. Setup spacewalk
3. try to cobbler sync
  
Actual results:

[root@spacewalk ~]# cobbler sync
task started: 2012-04-17_095020_sync
task started (id=Sync, time=Tue Apr 17 09:50:20 2012)
running pre-sync triggers
cleaning trees
mkdir: /var/www/cobbler/rendered
Exception occured: <type 'exceptions.OSError'>
Exception value: [Errno 13] Permission denied: '/var/www/cobbler/rendered'
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1280, in mkdir
    return os.makedirs(path,mode)
   File "/usr/lib64/python2.6/os.py", line 157, in makedirs
    mkdir(name, mode)

Exception occured: <type 'exceptions.TypeError'>
Exception value: not all arguments converted during string formatting
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 93, in run
    rc = self._run(self)
   File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 188, in runner
    return self.remote.api.sync(self.options.get("verbose",False),logger=self.logger)
   File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 701, in sync
    return sync.run()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 110, in run
    self.clean_trees()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 208, in clean_trees
    self.make_tftpboot()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 176, in make_tftpboot
    utils.mkdir(self.rendered_dir,logger=self.logger)
   File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1285, in mkdir
    raise CX(_("Error creating") % path)



Expected results:

cobbler sync should work fine without disabling selinux

Additional info:

Comment 1 Jan Pazdziora (Red Hat) 2012-04-17 08:59:42 UTC

What are the AVC denials in /var/log/audit/audit.log?

Comment 2 Morgan Cox 2012-04-17 09:23:20 UTC

Hi

type=AVC msg=audit(1334654492.334:43893): avc:  denied  { write } for  pid=3403 comm="cobblerd" name="cobbler" dev=md2 ino=2229490 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1334654492.334:43893): arch=c000003e syscall=83 success=no exit=-13 a0=7fe3cc0008c0 a1=1ed a2=3e687b3dc8 a3=7fe3dabec6c8 items=0 ppid=1 pid=3403 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null)

(I have never really understood SELINUX logs to be honest.....)

Comment 3 Jan Pazdziora (Red Hat) 2012-04-17 09:37:17 UTC

Moving to Fedora EPEL / cobbler -- the AVC denial does not show any types / directories owned by Spacewalk.

Comment 4 Jan Pazdziora (Red Hat) 2012-04-20 12:44:45 UTC

The problem seems to be caused by the fact that unlike the 2.0 rpm, the 2.2 does not contain all the subdirectories of /var/www/cobbler that cobbler would like to use:

$ rpm -qlp cobbler-2.2.2-1.el6.noarch.rpm | grep rendered
$ rpm -qlp cobbler-2.0.11-2.el6.noarch.rpm | grep rendered
/var/www/cobbler/rendered
$

If the rpm contained them, they'd be created with correct SELinux context (cobbler_var_lib_t, most probably) upon rpm installation and the daemon would not attempt to create them.

Comment 5 Miroslav Grepl 2012-04-27 12:40:13 UTC

We have more issue.

1.#816309
=> there are wrong instructions

2. /var/www/cobbler/rendered needs to be owned by cobbler package so it needs to be part of payload

3. probably other issues

Scott, 
had you tested it with SELinux before you pushed a new version of cobbler?

We need to fix it ASAP. So any chance you could revert these changes?

RHEL6.3 Beta has been published, so this not a good time to make big changes in the policy.

Comment 6 James C. 2012-05-22 01:00:37 UTC

I've corrected this in the cobbler.spec and setup.py file, so things should be installed correctly. This patch will be included in cobbler 2.2.3:

For now, manually creating the directory and running restorecon on it should get you up and running. If not please open a new issue on the official github issue tracker for cobbler: https://github.com/cobbler/cobbler/issues



# from master branch:

$ rpm -qif /var/www/cobbler/rendered|grep ^Name
Name        : cobbler

commit 285e3b5183b3b36576a0a60830d5eeaae57c428a
Author: James Cammarata <jimi>
Date:   Mon May 21 19:53:42 2012 -0500

    BUGFIX - adding some untracked directories and the new augeas lense to the setup.py and cobbler.spec files

Comment 7 James C. 2012-05-22 01:38:48 UTC

*** Bug 819497 has been marked as a duplicate of this bug. ***

Comment 8 James C. 2012-06-06 12:32:21 UTC

2.2.3-1 has been released, which resolves this bug.

Note You need to log in before you can comment on or make changes to this bug.