Bug 814254 - SELinux is preventing /usr/sbin/getsebool from read access on the directory /selinux/booleans/.
Summary: SELinux is preventing /usr/sbin/getsebool from read access on the directory /...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cobbler
Version: el6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: James C.
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-19 13:20 UTC by Stuart Newman
Modified: 2014-04-21 19:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-21 19:20:11 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
AVCs which appeared in permissive mode (10.12 KB, text/plain)
2012-04-19 14:03 UTC, Milos Malik
no flags Details

Description Stuart Newman 2012-04-19 13:20:53 UTC
Description of problem:SELinux is preventing /usr/sbin/getsebool from read access on the directory /selinux/booleans/.

SELinux is preventing /usr/sbin/getsebool from read access on the directory /selinux/booleans/.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that getsebool should be allowed read access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep getsebool /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cobblerd_t:s0
Target Context                system_u:object_r:security_t:s0
Target Objects                /selinux/booleans/ [ dir ]
Source                        getsebool
Source Path                   /usr/sbin/getsebool
Port                          <Unknown>
Host                          fiat
Source RPM Packages           libselinux-utils-2.0.94-5.2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-126.el6_2.10
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fiat
Platform                      Linux fiat 2.6.32-220.13.1.el6.x86_64 #1 SMP Thu
                              Mar 29 11:46:40 EDT 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 19 Apr 2012 09:11:21 AM EDT
Last Seen                     Thu 19 Apr 2012 09:11:21 AM EDT
Local ID                      7c9ae146-bcf5-4ea1-b33d-c49f914ef04c

Raw Audit Messages
type=AVC msg=audit(1334841081.897:37262): avc:  denied  { read } for  pid=11168 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir




Version-Release number of selected component (if applicable):


How reproducible:always


Steps to Reproduce:
1.Run cobbler check with cobbler 2.2.1 or 2.2.2
2.
3.
  
Actual results: sealert


Expected results:no alert


Additional info:

Comment 2 Milos Malik 2012-04-19 13:59:31 UTC
Quick reproducer:
0) setenforce 1
1) yum install cobbler cobbler-web
2) service cobblerd start
3) service httpd restart
4) setsebool httpd_can_network_connect_cobbler on
5) cobbler check
6) ausearch -m AVC -ts recent
----
time->Thu Apr 19 15:52:39 2012
type=SYSCALL msg=audit(1334843559.296:21897): arch=40000003 syscall=5 success=no exit=-13 a0=bfea6f7c a1=98800 a2=3e6ff4 a3=ffffffff items=0 ppid=1850 pid=1978 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="getsebool" exe="/usr/sbin/getsebool" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1334843559.296:21897): avc:  denied  { read } for  pid=1978 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
----

Comment 3 Milos Malik 2012-04-19 14:03:58 UTC
Created attachment 578657 [details]
AVCs which appeared in permissive mode

Comment 4 Daniel Walsh 2012-04-19 18:24:13 UTC
Why is cobbler setting booleans?  Cobbler should not be doing anything with SELInux from within the app.

Comment 5 Miroslav Grepl 2012-04-20 08:47:14 UTC
I thought it was fixed in cobbler just to suggest it.

Comment 6 Daniel Walsh 2012-04-20 13:57:19 UTC
I have no problem with it reading boolean settings but it will not be allowed to set them.

Comment 7 Miroslav Grepl 2012-04-25 10:54:20 UTC
(In reply to comment #6)
> I have no problem with it reading boolean settings but it will not be allowed
> to set them.

Which I added.

Comment 8 James C. 2012-05-22 01:07:36 UTC
It does not set any booleans. It only uses getsebool for the "cobbler check" command to determine if see if it should suggest booleans that may need to be set by the user.

Comment 9 Daniel Walsh 2012-05-23 11:21:33 UTC
James the avc's I see in Comment 3 from Milos shows cobbler executing semanage?

Comment 10 James C. 2012-05-23 12:04:03 UTC
You're correct, I missed that in that attachment. What it's doing is using "semanage fcontext -l" to find files that match certain types (again in action_check.py), it's not setting anything:

> data3 = utils.subprocess_get(self.logger,"/usr/sbin/semanage fcontext -l | grep public_content_t",shell=True)

I'm sure there's a better way to do it than that, but that's where the AVC is coming from. As far as I know, that was added quite a while back (git blame says 6/30/2009) so it's odd that AVCs are just now cropping up from this.

Comment 11 Daniel Walsh 2012-05-24 14:09:17 UTC
You should either use matchpathcon or grep /etc/selinux/*/contexts/files/file_context

Comment 12 James C. 2012-05-25 02:39:41 UTC
Shouldn't all of these be set to httpd_cobbler_content_t?

/var/www/cobbler(/.*)?	system_u:object_r:httpd_cobbler_content_t:s0
/var/www/cobbler/pub(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/www/cobbler/links(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/www/cobbler/images(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/www/cobbler/rendered(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/www/cobbler/ks_mirror(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/www/cobbler/localmirror(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/www/cobbler/repo_mirror(/.*)?	system_u:object_r:cobbler_var_lib_t:s0

Also, "/var/lib/cobbler/webui_sessions(/.*)?" should be set to httpd_sys_rw_content_t (it was moved from /usr/share/cobbler).

These checks exist because the default policy is incorrect I think. If that's corrected, we can drop the checks entirely. In the mean time, I'll modify the code to use the methods above and remove the calls to semanage.

Comment 13 James C. 2012-05-25 03:13:23 UTC
Similarly, why are these being set to cobbler_var_lib_t?

/var/lib/tftpboot(/.*)?	system_u:object_r:tftpdir_rw_t:s0
/var/lib/tftpboot/etc(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/ppc(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/grub(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/s390x(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/images(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/pxelinux\.cfg(/.*)?	system_u:object_r:cobbler_var_lib_t:s0
/tftpboot	-d	system_u:object_r:tftpdir_t:s0
/var/lib/tftpboot/yaboot	--	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/memdisk	--	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/menu\.c32	--	system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/pxelinux\.0	--	system_u:object_r:cobbler_var_lib_t:s0

I would think those aren't required, and should be left to tftpdir_rw_t, shouldn't they?

Comment 14 James C. 2012-05-25 12:05:04 UTC
All of the semanage code is removed in master, and will be in the next release (2.2.3). As I noted above, the policy needs to be updated to remove all of the subpaths from www/cobbler/ and the one new rule for /var/lib/cobbler/webui_sessions added. We have a wiki page for SELinux on our github site, which I'll be updating with much more information in regards to ensuring the policy is correctly configured on end-users machines.


Note You need to log in before you can comment on or make changes to this bug.