Description of problem: April was the last time I logged in to the Cobbler Web UI. I tried again today, but was blocked by SELinux. When attempting to login with valid credentials I received this error message in my browser: OSError at /do_login [Errno 13] Permission denied: '/var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7' Setting SELinux to permissve allows me to login. # ll -Z /var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7 -rw-------. apache apache system_u:object_r:cobbler_var_lib_t:s0 /var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7 # sealert -l 2c9456a8-3d45-4a2b-b76e-8f0adf222673 SELinux is preventing /usr/sbin/httpd from write access on the file sessionid5e6fde92af7b21f5b6dfa02eef871ba7. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that httpd should be allowed write access on the sessionid5e6fde92af7b21f5b6dfa02eef871ba7 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:cobbler_var_lib_t:s0 Target Objects sessionid5e6fde92af7b21f5b6dfa02eef871ba7 [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host foo.bar.com Source RPM Packages httpd-2.2.22-2.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-86.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name foo.bar.com Platform Linux foo.bar.com 3.3.4-1.fc16.x86_64 #1 SMP Fri Apr 27 20:12:28 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Thu 21 Jun 2012 03:57:45 PM CDT Last Seen Thu 21 Jun 2012 03:57:55 PM CDT Local ID 2c9456a8-3d45-4a2b-b76e-8f0adf222673 Raw Audit Messages type=AVC msg=audit(1340312275.927:172354): avc: denied { write } for pid=3537 comm="httpd" name="sessionid5e6fde92af7b21f5b6dfa02eef871ba7" dev="dm-2" ino=266891 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1340312275.927:172354): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2abebae4c0 a1=41 a2=1ff a3=6631326237666132 items=0 ppid=2496 pid=3537 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,cobbler_var_lib_t,file,write audit2allow #============= httpd_t ============== allow httpd_t cobbler_var_lib_t:file write; audit2allow -R #============= httpd_t ============== allow httpd_t cobbler_var_lib_t:file write; Version-Release number of selected component (if applicable): cobbler-web-2.2.2-1.fc16.noarch selinux-policy-3.10.0-86.fc16.noarch How reproducible: Always Actual results: Cannot login. Expected results: Successful login.
Could you add me your output of # rpm -qf /var/lib/cobbler/webui_sessions
$ rpm -qf /var/lib/cobbler/webui_sessions cobbler-2.2.2-1.fc16.noarch cobbler-web-2.2.2-1.fc16.noarch
Probably should label /var/lib/cobbler/webui_sessions httpd_cobbler_rw_content_t
Yes. Michael, could you test it # chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions Dominick, what do you think?
I would probably suggest... semanage fcontext -a -t public_content_rw_t "/var/lib/cobbler/webui_sessions(/.*)?" restorecon -R -v /var/lib/cobbler/webui_sessions/ setsebool -P cobbler_anon_write=1 allow_httpd_anon_write=1 ... to enabled this functionality The webapp is optional By the way seems we also need to allow; allow cobblerd_t cobbler_tmp_t:file mmap_file_perms; This file eventually needs to be moved to /var/lib/cobbler but currently its created in /tmp so i guess we'd need to support that
also: fs_getattr_xattr_fs(cobblerd_t)
Thanks to ciupicri for his help with this policy and triaging.
But yes since some one added this: manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) we might as well label it httpd_cobbler_content_rw_t This was not part of the initial design. I think the public_content types/ anon write combo were implemented to deal with these issues instead back then.
Lets add what Dan suggested now and I think we could revise the cobbler policy and see if we can simplify it.
Added to F16 policy.
(In reply to comment #4) > Michael, > could you test it > > # chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions This allows me to log in. Thanks.
Dominick, did you add some fixes to upstream repo? I am going to do a merge over Xmas.
Some yes I am not quite confident about this Does cobbler depend on its web interface? The problem with the httpd_cobbler_rw_content_t solution is that this will make cobbler depend on the apache module. I would prefer that people label the webui_sessions directory public_content_rw_t and set the corresponding "anon_write" booleans, but i understand that this is not such an intuitive solution and that it requires manual intervention. In short i do not like the dependency on apache
Yes, I agree. But my last minimum testing says me we need to leave apache in the base. for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled this is what we have for Fedora minimum policy.
Why? In refpolicy this is not required and i think we provide pretty much the same functionality there
Any progress here?
I back ported the cobbler policy from F19.
selinux-policy-3.11.1-92.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-92.fc18
Package selinux-policy-3.11.1-92.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-92.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6769/selinux-policy-3.11.1-92.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-92.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.