Bug 878148 - cannot login to cobbler web-ui
Summary: cannot login to cobbler web-ui
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 834432
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-19 18:12 UTC by Orion Poplawski
Modified: 2015-11-02 13:43 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-220.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 834432
Environment:
Last Closed: 2013-11-21 10:10:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Orion Poplawski 2012-11-19 18:12:58 UTC
+++ This bug was initially created as a clone of Bug #834432 +++

Description of problem: April was the last time I logged in to the Cobbler Web UI. I tried again today, but was blocked by SELinux. When attempting to login with valid credentials I received this error message in my browser:

OSError at /do_login

[Errno 13] Permission denied: '/var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7'

Setting SELinux to permissve allows me to login.

# ll -Z /var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7
-rw-------. apache apache system_u:object_r:cobbler_var_lib_t:s0 /var/lib/cobbler/webui_sessions/sessionid5e6fde92af7b21f5b6dfa02eef871ba7

# sealert -l 2c9456a8-3d45-4a2b-b76e-8f0adf222673
SELinux is preventing /usr/sbin/httpd from write access on the file sessionid5e6fde92af7b21f5b6dfa02eef871ba7.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that httpd should be allowed write access on the sessionid5e6fde92af7b21f5b6dfa02eef871ba7 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:cobbler_var_lib_t:s0
Target Objects                sessionid5e6fde92af7b21f5b6dfa02eef871ba7 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          foo.bar.com
Source RPM Packages           httpd-2.2.22-2.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-86.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     foo.bar.com
Platform                      Linux foo.bar.com 3.3.4-1.fc16.x86_64
                              #1 SMP Fri Apr 27 20:12:28 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 21 Jun 2012 03:57:45 PM CDT
Last Seen                     Thu 21 Jun 2012 03:57:55 PM CDT
Local ID                      2c9456a8-3d45-4a2b-b76e-8f0adf222673

Raw Audit Messages
type=AVC msg=audit(1340312275.927:172354): avc:  denied  { write } for  pid=3537 comm="httpd" name="sessionid5e6fde92af7b21f5b6dfa02eef871ba7" dev="dm-2" ino=266891 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1340312275.927:172354): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2abebae4c0 a1=41 a2=1ff a3=6631326237666132 items=0 ppid=2496 pid=3537 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,cobbler_var_lib_t,file,write

audit2allow

#============= httpd_t ==============
allow httpd_t cobbler_var_lib_t:file write;

audit2allow -R

#============= httpd_t ==============
allow httpd_t cobbler_var_lib_t:file write;



Version-Release number of selected component (if applicable):
cobbler-web-2.2.2-1.fc16.noarch
selinux-policy-3.10.0-86.fc16.noarch


How reproducible: Always

  
Actual results: Cannot login.


Expected results: Successful login.

--- Additional comment from Miroslav Grepl on 2012-06-22 03:16:15 EDT ---

Could you add me your output of 

# rpm -qf /var/lib/cobbler/webui_sessions

--- Additional comment from Michael Cronenworth on 2012-06-22 09:05:47 EDT ---

$ rpm -qf /var/lib/cobbler/webui_sessions
cobbler-2.2.2-1.fc16.noarch
cobbler-web-2.2.2-1.fc16.noarch

--- Additional comment from Daniel Walsh on 2012-06-22 10:53:25 EDT ---

Probably should label /var/lib/cobbler/webui_sessions

httpd_cobbler_rw_content_t

--- Additional comment from Miroslav Grepl on 2012-06-25 04:53:59 EDT ---

Yes.

Michael,
could you test it

# chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions


Dominick, 
what do you think?

--- Additional comment from Dominick Grift on 2012-06-25 07:01:43 EDT ---

I would probably suggest...

semanage fcontext -a -t public_content_rw_t "/var/lib/cobbler/webui_sessions(/.*)?"
restorecon -R -v /var/lib/cobbler/webui_sessions/

setsebool -P cobbler_anon_write=1 allow_httpd_anon_write=1

... to enabled this functionality

The webapp is optional

By the way seems we also need to allow;

allow cobblerd_t cobbler_tmp_t:file mmap_file_perms;

This file eventually needs to be moved to /var/lib/cobbler but currently its created in /tmp so i guess we'd need to support that

--- Additional comment from Dominick Grift on 2012-06-25 07:29:29 EDT ---

also: fs_getattr_xattr_fs(cobblerd_t)

--- Additional comment from Dominick Grift on 2012-06-25 08:02:11 EDT ---

Thanks to ciupicri for his help with this policy and triaging.

--- Additional comment from Dominick Grift on 2012-06-25 09:00:19 EDT ---

But yes since some one added this:

manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)

we might as well label it httpd_cobbler_content_rw_t

This was not part of the initial design. I think the public_content types/ anon write combo were implemented to deal with these issues instead back then.

--- Additional comment from Miroslav Grepl on 2012-06-25 09:19:27 EDT ---

Lets add what Dan suggested now and I think we could revise the cobbler policy and see if we can simplify it.

--- Additional comment from Miroslav Grepl on 2012-06-25 09:26:51 EDT ---

Added to F16 policy.

--- Additional comment from Michael Cronenworth on 2012-06-25 10:07:33 EDT ---

(In reply to comment #4)
> Michael,
> could you test it
> 
> # chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions

This allows me to log in. Thanks.

Comment 1 Orion Poplawski 2012-11-19 18:13:58 UTC
I need to do:

chcon -R -t httpd_cobbler_rw_content_t /var/lib/cobbler/webui_sessions

with:

cobbler-web-2.4.0-beta2.el6.noarch
selinux-policy-3.7.19-155.el6_3.6.noarch

To be able to log in.

Comment 3 Orion Poplawski 2012-12-10 18:47:17 UTC
Any progress?  Still the same:

cobbler-web-2.4.0-beta2.el6.noarch
selinux-policy-3.7.19-186.el6.noarch

Comment 4 RHEL Program Management 2012-12-14 08:17:02 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 5 Miroslav Grepl 2012-12-14 10:43:56 UTC
Does it work with your solution? I would like to be sure before I change it in RHEL6.

We have still in Fedora

# matchpathcon /var/lib/cobbler/webui_sessions
/var/lib/cobbler/webui_sessions	system_u:object_r:cobbler_var_lib_t:s0

Comment 6 Orion Poplawski 2012-12-14 23:25:18 UTC
The solution is working for me.  Another possibly better alternative that works is "httpd_var_run_t", which matches /var/lib/php/session.

Comment 8 Orion Poplawski 2013-04-18 14:51:08 UTC
Still a problem with selinux-policy-3.7.19-195.el6_4.3.noarch

Comment 9 Miroslav Grepl 2013-08-06 20:48:20 UTC
It will be covered by httpd_serve_cobbler_files boolean.

Comment 10 Orion Poplawski 2013-08-07 19:55:55 UTC
I don't see that boolean in selinux-policy-3.7.19-210.el6.

Comment 12 Miroslav Grepl 2013-08-08 06:09:15 UTC
I see on my RHEL6 system

# getsebool -a |grep cobbler
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
httpd_can_network_connect_cobbler --> off
httpd_serve_cobbler_files --> off

Comment 13 Orion Poplawski 2013-08-09 16:23:50 UTC
Seeing that now with -211 and I've turned it on.  restorecon on /var/lib/cobbler/webui_sessions/ reset it to cobbler_var_lib_t, but I can log in so it seems to be working.

Comment 16 Miroslav Grepl 2013-10-08 13:17:32 UTC
#============= cobblerd_t ==============

#!!!! This avc is allowed in the current policy
allow cobblerd_t mysqld_db_t:dir search;

# sesearch -A -s cobblerd_t -t ldconfig_exec_t
Found 1 semantic av rules:
   allow cobblerd_t ldconfig_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;

Comment 18 errata-xmlrpc 2013-11-21 10:10:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.