Description of problem: Cobbler serves files to install systems. The TFTP supplied boot images are allowed to be read, but the installer image that is required a few seconds after the boot image is used, supplied by cobbler, are not being allowed access. As soon as I "setenforce 0" the image is allowed to be read. No audit messages are emitted. I tried "semanage dontaudit off" but still, no messages were emitted. Version-Release number of selected component (if applicable): selinux-policy-3.11.1-92.fc18.noarch How reproducible: Always Steps to Reproduce: 1. Setup cobbler with RHEL or Fedora. 2. Boot system from PXE 3. Select RHEL or Fedora boot image in cobbler menu Actual results: Boot image is downloaded and system boots. When the installer image is attempted to be downloaded the download fails. Expected results: Download succeeds. Additional info: Installer images are kept here: /var/www/cobbler/links/rhel-server-6.4-x86_64/images/ "restorecon -Rv" does not return any output. $ ls -dZ /var/www/cobbler/links/rhel-server-6.4-x86_64/images/ dr-xr-xr-x. root root system_u:object_r:cobbler_var_lib_t:s0 /var/www/cobbler/links/rhel-server-6.4-x86_64/images/ $ ls -lZ /var/www/cobbler/links/rhel-server-6.4-x86_64/images/ -r--r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 efiboot.img -r--r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 efidisk.img -r--r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 install.img -r--r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 product.img dr-xr-xr-x. root root system_u:object_r:cobbler_var_lib_t:s0 pxeboot -r--r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 README -r--r--r--. root root system_u:object_r:cobbler_var_lib_t:s0 TRANS.TBL
Is auditd running?
Created attachment 741892 [details] audit messages when installer image is attempted to be read Forgot about that. Here's the messages emitted with dontaudit off.
I am seeing this with the latest selinux policy as well (not sure when it started happening to be honest, as I don't use this setup too frequently). Anything under /var/lib/cobbler/links is inaccessible by httpd, even with httpd_serve_cobbler_files on. It probably just neglected links. I already have a host of custom stuff for cobbler, but in particular adding this seemed to fix this new issue: module customcobbler 1.0; require { type httpd_t; type cobbler_var_lib_t; class lnk_file { read getattr }; } #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t cobbler_var_lib_t:lnk_file { read getattr };
I added fixes. commit 24eb5a32f0ff7622427318e5e26af3e621292160 Author: Miroslav Grepl <mgrepl> Date: Tue May 28 10:36:22 2013 +0200 Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files
selinux-policy-3.11.1-97.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-97.fc18
I can confirm that the update fixes the issue. Thanks.
Package selinux-policy-3.11.1-97.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-97.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-9612/selinux-policy-3.11.1-97.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-97.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.