Bug 827813 - SELinux policy breaks os.path for cobbler
SELinux policy breaks os.path for cobbler
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-03 03:02 EDT by Pete Travis
Modified: 2013-05-21 04:40 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-95.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-21 04:40:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pete Travis 2012-06-03 03:02:28 EDT
Description of problem:
On a minimal installation of Fedora 17, cobblerd fails to start. setroubleshoot reports that "SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/passwd"
Starting cobblerd directly with `/usr/bin/cobblerd -F` succeeds, but starting the service via systemctl fails. The previous release of Fedora does not have this issue, as /etc/passwd is system_u:object_r:etc_t:s0 .

Version-Release number of selected component (if applicable):

Name        : python
Version     : 2.7.3
Release     : 6.fc17


Name        : python-libs
Version     : 2.7.3
Release     : 6.fc17

Name        : selinux-policy
Version     : 3.10.0
Release     : 125.fc17

Name        : cobbler
Version     : 2.2.2
Release     : 1.fc17


Steps to Reproduce:
1. Configure 'minimal' fedora installation.
2. yum install cobbler
3. yum upgrade
4. systemctl start cobblerd.service
  
Actual results:

cobblerd fails to start when selinux blocks cobbler from using os.path

Expected results:

cobbler is able to call os.path functions without issue

Additional info:
##
#systemctl status cobblerd.service gives the following:
##
[root@athena cobbler]# systemctl status cobblerd.service
cobblerd.service - Cobbler Helper Daemon
          Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; disabled)
          Active: failed (Result: exit-code) since Sun, 03 Jun 2012 00:29:28 -0600; 16min ago
         Process: 1492 ExecStart=/usr/bin/cobblerd (code=exited, status=1/FAILURE)
          CGroup: name=systemd:/system/cobblerd.service

[root@athena cobbler]# systemctl status cobblerd.service
cobblerd.service - Cobbler Helper Daemon
          Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; disabled)
          Active: failed (Result: exit-code) since Sun, 03 Jun 2012 00:29:28 -0600; 22min ago
         Process: 1492 ExecStart=/usr/bin/cobblerd (code=exited, status=1/FAILURE)
          CGroup: name=systemd:/system/cobblerd.service

Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: File "/usr/lib64/python2.7/sysconfig.py", line 521, in get_config_var
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: return get_config_vars().get(name)
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: File "/usr/lib64/python2.7/sysconfig.py", line 425, in get_config_vars
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: _CONFIG_VARS['userbase'] = _getuserbase()
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: File "/usr/lib64/python2.7/sysconfig.py", line 183, in _getuserbase
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: return env_base if env_base else joinuser("~", ".local")
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: File "/usr/lib64/python2.7/sysconfig.py", line 169, in joinuser
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: return os.path.expanduser(os.path.join(*args))
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: File "/usr/lib64/python2.7/posixpath.py", line 260, in expanduser
Jun 03 00:29:28 athena.petetravis.lan cobblerd[1492]: userhome = pwd.getpwuid(os.getuid()).pw_dir

##
#audit.log 
##
type=AVC msg=audit(1338704944.522:202): avc:  denied  { read } for  pid=1478 comm="cobblerd" name="passwd" dev="dm-1" ino=1574018 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1338704944.522:202): arch=c000003e syscall=2 success=no exit=-13 a0=7fe4010fb6ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=SERVICE_START msg=audit(1338704944.553:203): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="cobblerd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1338704968.964:204): avc:  denied  { read } for  pid=1492 comm="cobblerd" name="passwd" dev="dm-1" ino=1574018 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1338704968.964:204): arch=c000003e syscall=2 success=no exit=-13 a0=7f2efcc496ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1492 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=SERVICE_START msg=audit(1338704968.996:205): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="cobblerd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed
Comment 1 Pete Travis 2012-06-03 11:19:19 EDT
I built and activated a policy module to allow python to read /etc/passwd.
Now, python wants to open /etc/passwd, so I add a module for that. 
cobbler will start, but python still wants getattr access to /etc/password. Following the addition of a module for this, I am able to start cobblerd without denials.
Comment 2 Miroslav Grepl 2012-06-04 06:46:27 EDT
Fixed in selinux-policy-3.10.0-129.fc17
Comment 3 Fedora Update System 2012-06-11 16:59:10 EDT
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Comment 4 Fedora Update System 2012-06-15 19:56:48 EDT
Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-06-16 20:01:44 EDT
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Hakan Duran 2012-09-30 23:58:06 EDT
I have selinux-policy-3.10.0-149.fc17 installed in my box, and I get selinux warning message about /usr/bin/python2.7 attempting getattr access to /etc/passwd. I guess I will build and activate a policy module as described above.
Comment 7 Miroslav Grepl 2012-10-01 04:49:04 EDT
Could you execute

# semanage permissive -a cobblerd_t

re-test it and add your output of

# ausearch -m avc -ts recent


Thank you.
Comment 8 Daniel Walsh 2012-10-01 05:56:29 EDT
Looks like cobbler needs auth_read_passwd which we have in F18.
Comment 9 Miroslav Grepl 2012-10-01 06:31:20 EDT
I see on my F17

allow cobblerd_t passwd_file_t : file { ioctl read getattr lock open } ;
Comment 10 Jan Pazdziora 2013-04-30 08:17:45 EDT
It seems the bug is back on Fedora 18:

# sesearch --allow -s cobblerd_t -t passwd_file_t
Found 1 semantic av rules:
   allow cobblerd_t file_type : filesystem getattr ; 

# rpm -q cobbler selinux-policy-targeted
cobbler-2.4.0-beta3.fc18.1.noarch
selinux-policy-targeted-3.11.1-92.fc18.noarch
#

avc:  denied  { read } for  pid=2237 comm="cobblerd" name="passwd" dev="dm-1" ino=262820 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file

# grep cobbler /var/log/messages | perl -ne 's/^.*\[2237\]: // and print'
Traceback (most recent call last):
File "/usr/lib/python2.7/site.py", line 563, in <module>
main()
File "/usr/lib/python2.7/site.py", line 545, in main
known_paths = addusersitepackages(known_paths)
File "/usr/lib/python2.7/site.py", line 278, in addusersitepackages
user_site = getusersitepackages()
File "/usr/lib/python2.7/site.py", line 253, in getusersitepackages
user_base = getuserbase() # this will also set USER_BASE
File "/usr/lib/python2.7/site.py", line 243, in getuserbase
USER_BASE = get_config_var('userbase')
File "/usr/lib/python2.7/sysconfig.py", line 521, in get_config_var
return get_config_vars().get(name)
File "/usr/lib/python2.7/sysconfig.py", line 425, in get_config_vars
_CONFIG_VARS['userbase'] = _getuserbase()
File "/usr/lib/python2.7/sysconfig.py", line 183, in _getuserbase
return env_base if env_base else joinuser("~", ".local")
File "/usr/lib/python2.7/sysconfig.py", line 169, in joinuser
return os.path.expanduser(os.path.join(*args))
File "/usr/lib/python2.7/posixpath.py", line 260, in expanduser
userhome = pwd.getpwuid(os.getuid()).pw_dir
KeyError: 'getpwuid(): uid not found: 0'
Comment 11 Miroslav Grepl 2013-05-03 04:22:55 EDT
commit a86527976302b41d2484ae2cf15df0904ec1a344
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri May 3 10:19:07 2013 +0200

    Allow cobblerd to read /etc/passwd
Comment 12 Fedora Update System 2013-05-07 17:29:09 EDT
selinux-policy-3.11.1-94.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-94.fc18
Comment 13 Fedora Update System 2013-05-09 06:11:58 EDT
Package selinux-policy-3.11.1-94.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-94.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7743/selinux-policy-3.11.1-94.fc18
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2013-05-17 07:00:45 EDT
selinux-policy-3.11.1-95.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-95.fc18
Comment 15 Fedora Update System 2013-05-21 04:40:29 EDT
selinux-policy-3.11.1-95.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.