Bug 837707 - Cobbler 2.2.3 doesn't work with SElinux in enforcing mode
Cobbler 2.2.3 doesn't work with SElinux in enforcing mode
Status: CLOSED DUPLICATE of bug 837708
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.2
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-04 18:42 EDT by Jonathan Underwood
Modified: 2015-05-13 07:11 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-15 10:35:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2012-07-04 18:42:33 EDT
Description of problem:
cobblerd fails to start  with the current selinux policy on rhel 6.2, requiring the following fix:

module cobblerlocal 1.0;

require {
        type cobbler_tmp_t;
        type tmpfs_t;
        type cobblerd_t;
        class dir search;
        class file execute;
}

#============= cobblerd_t ==============
allow cobblerd_t cobbler_tmp_t:file execute;
allow cobblerd_t tmpfs_t:dir search;


Version-Release number of selected component (if applicable):
cobbler-2.2.3-2.el6.noarch
selinux-policy-3.7.19-126.el6_2.10.noarch
selinux-policy-targeted-3.7.19-126.el6_2.10.noarch

How reproducible:
Everytime

Steps to Reproduce:
1.service cobblerd start
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Milos Malik 2012-07-08 03:09:26 EDT
# rpm -qa cobbler\*
cobbler-web-2.2.3-2.el6.noarch
cobbler-2.2.3-2.el6.noarch
# rpm -qa selinux-policy\*
selinux-policy-minimum-3.7.19-155.el6_3.noarch
selinux-policy-doc-3.7.19-155.el6_3.noarch
selinux-policy-mls-3.7.19-155.el6_3.noarch
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
#  service cobblerd restart
Stopping cobbler daemon:                                   [FAILED]
Starting cobbler daemon: Traceback (most recent call last):
  File "/usr/bin/cobblerd", line 76, in main
    api = cobbler_api.BootAPI(is_cobblerd=True)
  File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 127, in __init__
    module_loader.load_modules()
  File "/usr/lib/python2.6/site-packages/cobbler/module_loader.py", line 62, in load_modules
    blip =  __import__("modules.%s" % ( modname), globals(), locals(), [modname])
  File "/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py", line 53, in <module>
    from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast, pointer, sizeof
  File "/usr/lib/python2.6/ctypes/__init__.py", line 546, in <module>
    CFUNCTYPE(c_int)(lambda: None)
MemoryError
# ausearch -m avc -m user_avc -m selinux_err -ts recent -i
----
type=SYSCALL msg=audit(07/08/2012 09:07:06.343:85) : arch=i386 syscall=mmap2 success=no exit=-13(Permission denied) a0=0 a1=1000 a2=5 a3=1 items=0 ppid=10200 pid=10201 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(07/08/2012 09:07:06.343:85) : avc:  denied  { execute } for  pid=10201 comm=cobblerd path=/tmp/fficICQMP (deleted) dev=sda3 ino=144515 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:cobbler_tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/08/2012 09:07:06.347:86) : arch=i386 syscall=mmap2 success=no exit=-13(Permission denied) a0=0 a1=1000 a2=5 a3=1 items=0 ppid=10200 pid=10201 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(07/08/2012 09:07:06.347:86) : avc:  denied  { execute } for  pid=10201 comm=cobblerd path=/var/tmp/ffioa2tU5 (deleted) dev=sda3 ino=303 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:cobbler_tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/08/2012 09:07:06.348:87) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=bfe205a0 a1=c2 a2=180 a3=4ff34 items=0 ppid=10200 pid=10201 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) 
type=AVC msg=audit(07/08/2012 09:07:06.348:87) : avc:  denied  { search } for  pid=10201 comm=cobblerd name=/ dev=tmpfs ino=5539 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 
----
#
Comment 3 Miroslav Grepl 2012-07-09 04:29:29 EDT
The problem is we have this new cobbler package in EPEL and we are working on a policy solution in Fedora.
Comment 4 Miroslav Grepl 2012-10-15 10:35:02 EDT

*** This bug has been marked as a duplicate of bug 837708 ***

Note You need to log in before you can comment on or make changes to this bug.