Hide Forgot
+++ This bug was initially created as a clone of Bug #834432 +++ Description of problem: April was the last time I logged in to the Cobbler Web UI. I tried again today, but was blocked by SELinux. When attempting to login with valid credentials I received this error message in my browser: OSError at /do_login [Errno 13] Permission denied: '/var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7' Setting SELinux to permissve allows me to login. # ll -Z /var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7 -rw-------. apache apache system_u:object_r:cobbler_var_lib_t:s0 /var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7 # sealert -l 2c9456a8-3d45-4a2b-b76e-8f0adf222673 SELinux is preventing /usr/sbin/httpd from write access on the file sessionid5e6fde92af7b21f5b6dfa02eef871ba7. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that httpd should be allowed write access on the sessionid5e6fde92af7b21f5b6dfa02eef871ba7 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:cobbler_var_lib_t:s0 Target Objects sessionid5e6fde92af7b21f5b6dfa02eef871ba7 [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host foo.bar.com Source RPM Packages httpd-2.2.22-2.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-86.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name foo.bar.com Platform Linux foo.bar.com 3.3.4-1.fc16.x86_64 #1 SMP Fri Apr 27 20:12:28 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Thu 21 Jun 2012 03:57:45 PM CDT Last Seen Thu 21 Jun 2012 03:57:55 PM CDT Local ID 2c9456a8-3d45-4a2b-b76e-8f0adf222673 Raw Audit Messages type=AVC msg=audit(1340312275.927:172354): avc: denied { write } for pid=3537 comm="httpd" name="sessionid5e6fde92af7b21f5b6dfa02eef871ba7" dev="dm-2" ino=266891 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1340312275.927:172354): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2abebae4c0 a1=41 a2=1ff a3=6631326237666132 items=0 ppid=2496 pid=3537 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,cobbler_var_lib_t,file,write audit2allow #============= httpd_t ============== allow httpd_t cobbler_var_lib_t:file write; audit2allow -R #============= httpd_t ============== allow httpd_t cobbler_var_lib_t:file write; Version-Release number of selected component (if applicable): cobbler-web-2.2.2-1.fc16.noarch selinux-policy-3.10.0-86.fc16.noarch How reproducible: Always Actual results: Cannot login. Expected results: Successful login. --- Additional comment from Miroslav Grepl on 2012-06-22 03:16:15 EDT --- Could you add me your output of # rpm -qf /var/lib/cobbler/webui_sessions --- Additional comment from Michael Cronenworth on 2012-06-22 09:05:47 EDT --- $ rpm -qf /var/lib/cobbler/webui_sessions cobbler-2.2.2-1.fc16.noarch cobbler-web-2.2.2-1.fc16.noarch --- Additional comment from Daniel Walsh on 2012-06-22 10:53:25 EDT --- Probably should label /var/lib/cobbler/webui_sessions httpd_cobbler_rw_content_t --- Additional comment from Miroslav Grepl on 2012-06-25 04:53:59 EDT --- Yes. Michael, could you test it # chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions Dominick, what do you think? --- Additional comment from Dominick Grift on 2012-06-25 07:01:43 EDT --- I would probably suggest... semanage fcontext -a -t public_content_rw_t "/var/lib/cobbler/webui_sessions(/.*)?" restorecon -R -v /var/lib/cobbler/webui_sessions/ setsebool -P cobbler_anon_write=1 allow_httpd_anon_write=1 ... to enabled this functionality The webapp is optional By the way seems we also need to allow; allow cobblerd_t cobbler_tmp_t:file mmap_file_perms; This file eventually needs to be moved to /var/lib/cobbler but currently its created in /tmp so i guess we'd need to support that --- Additional comment from Dominick Grift on 2012-06-25 07:29:29 EDT --- also: fs_getattr_xattr_fs(cobblerd_t) --- Additional comment from Dominick Grift on 2012-06-25 08:02:11 EDT --- Thanks to ciupicri for his help with this policy and triaging. --- Additional comment from Dominick Grift on 2012-06-25 09:00:19 EDT --- But yes since some one added this: manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) we might as well label it httpd_cobbler_content_rw_t This was not part of the initial design. I think the public_content types/ anon write combo were implemented to deal with these issues instead back then. --- Additional comment from Miroslav Grepl on 2012-06-25 09:19:27 EDT --- Lets add what Dan suggested now and I think we could revise the cobbler policy and see if we can simplify it. --- Additional comment from Miroslav Grepl on 2012-06-25 09:26:51 EDT --- Added to F16 policy. --- Additional comment from Michael Cronenworth on 2012-06-25 10:07:33 EDT --- (In reply to comment #4) > Michael, > could you test it > > # chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions This allows me to log in. Thanks.
I need to do: chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions with: cobbler-web-2.4.0-beta2.el6.noarch selinux-policy-3.7.19-155.el6_3.6.noarch To be able to log in.
Any progress? Still the same: cobbler-web-2.4.0-beta2.el6.noarch selinux-policy-3.7.19-186.el6.noarch
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
Does it work with your solution? I would like to be sure before I change it in RHEL6. We have still in Fedora # matchpathcon /var/lib/cobbler/webui_sessions /var/lib/cobbler/webui_sessions system_u:object_r:cobbler_var_lib_t:s0
The solution is working for me. Another possibly better alternative that works is "httpd_var_run_t", which matches /var/lib/php/session.
Still a problem with selinux-policy-3.7.19-195.el6_4.3.noarch
It will be covered by httpd_serve_cobbler_files boolean.
I don't see that boolean in selinux-policy-3.7.19-210.el6.
I see on my RHEL6 system # getsebool -a |grep cobbler cobbler_anon_write --> off cobbler_can_network_connect --> off cobbler_use_cifs --> off cobbler_use_nfs --> off httpd_can_network_connect_cobbler --> off httpd_serve_cobbler_files --> off
Seeing that now with -211 and I've turned it on. restorecon on /var/lib/cobbler/webui_sessions/ reset it to cobbler_var_lib_t, but I can log in so it seems to be working.
#============= cobblerd_t ============== #!!!! This avc is allowed in the current policy allow cobblerd_t mysqld_db_t:dir search; # sesearch -A -s cobblerd_t -t ldconfig_exec_t Found 1 semantic av rules: allow cobblerd_t ldconfig_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html