[This was initially discovered by Cliff] Description of problem: Running `cobbler buildiso` generates AVC error. Version-Release number of selected component (if applicable): cobbler-2.0.7-29.el6sat.noarch How reproducible: always Steps to Reproduce: 1. # sestatus # make sure you are in enforcing 2. # cobbler buildiso Actual results: # cobbler buildiso task started: 2013-06-26_181250_buildiso task started (id=Build Iso, time=Wed Jun 26 18:12:50 2013) using/creating tempdir: /buildiso Exception occured: <type 'exceptions.OSError'> Exception value: [Errno 13] Permission denied: '/buildiso' Exception Info: File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 95, in run rc = self._run(self) File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 156, in runner self.options.get("force_server",None) File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 756, in build_iso iso=iso, profiles=profiles, systems=systems, tempdir=tempdir, distro=distro, standalone=standalone, source=source, exclude_dns=exclude_dns, force_server=force_server File "/usr/lib/python2.6/site-packages/cobbler/action_buildiso.py", line 402, in run os.makedirs(tempdir) File "/usr/lib64/python2.6/os.py", line 157, in makedirs mkdir(name, mode) !!! TASK FAILED !!! Expected results: Should work. Additional info: Generated AVC is like this: type=AVC msg=audit(1372284771.863:671): avc: denied { create } for pid=13707 comm="cobblerd" name="buildiso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1372284771.863:671): arch=c000003e syscall=83 success=no exit=-13 a0=7fbe70013b80 a1=1ff a2=3ade5a09e8 a3=7fbe784ddb18 items=0 ppid=1 pid=13707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null) When the system is set to Permissive, `cobbler buildiso` PASSes, and these AVCs are generated: type=AVC msg=audit(1372284840.697:673): avc: denied { create } for pid=13728 comm="cobblerd" name="buildiso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1372284840.697:673): arch=c000003e syscall=83 success=yes exit=0 a0=7fbe68004c10 a1=1ff a2=3ade5a09e8 a3=7fbe778d6b18 items=0 ppid=1 pid=13728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1372284840.797:674): avc: denied { write } for pid=13737 comm="mkisofs" name="root" dev=dm-0 ino=655361 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(1372284840.797:674): avc: denied { add_name } for pid=13737 comm="mkisofs" name="generated.iso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(1372284840.797:674): avc: denied { create } for pid=13737 comm="mkisofs" name="generated.iso" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(1372284840.797:674): avc: denied { write open } for pid=13737 comm="mkisofs" name="generated.iso" dev=dm-0 ino=656786 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1372284840.797:674): arch=c000003e syscall=2 success=yes exit=13 a0=7fffa518de61 a1=241 a2=1b6 a3=0 items=0 ppid=6779 pid=13737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkisofs" exe="/usr/bin/genisoimage" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=AVC msg=audit(1372284840.804:675): avc: denied { getattr } for pid=13737 comm="mkisofs" path="/root/generated.iso" dev=dm-0 ino=656786 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1372284840.804:675): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fffa5186620 a2=7fffa5186620 a3=7fffa51864f0 items=0 ppid=6779 pid=13737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkisofs" exe="/usr/bin/genisoimage" subj=system_u:system_r:cobblerd_t:s0 key=(null) type=MAC_STATUS msg=audit(1372284848.093:676): enforcing=1 old_enforcing=0 auid=0 ses=100 type=SYSCALL msg=audit(1372284848.093:676): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffbaf4e380 a2=1 a3=0 items=0 ppid=13520 pid=13738 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=100 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) BTW running `cobbler buildiso --iso=/tmp/aaa.iso` did not helped.
I've run into this bug as well. What is happening is that since cobblerd is a confined daemon, it can only write to where the SELinux policy allows it. You can work around this using the --tempdir & --iso switches to redirect cobbler to use a directory that it can write to. (after creating it) I've worked around this using the following workflow. Find a file context that cobblerd can write to: # sesearch -A -s cobblerd_t -c file | grep write Select a file type from that output. I used 'cobbler_tmp_t' as it seemed most fitting. Create a directory and update the SELinux policy with the correct file context. # semanage fcontext -a -t cobbler_tmp_t "/srv/cobbler(/.*)?" # mkdir /srv/cobbler/tempdir # restorecon -Rv /srv/cobbler run cobbler # cobbler buildiso --tempdir /srv/cobbler/tempdir/ --iso /srv/cobbler/generated.iso
Created attachment 770693 [details] Proposed patch to /usr/lib/python2.6/site-packages/cobbler/cli.py The attached patch is an update to /usr/lib/python2.6/site-packages/cobbler/cli.py. It sets an explicit default location for the generated iso (the --iso paramater) and the temporary directory (the --tempdir paramater). It is assumed that the cobbler installation will create those directories (maybe in the %post section of the RPM install) with the correct SELinux contexts.
Thanks for the patch and explanation Rich, that was very helpful. I would rather not require policycoreutils-python in order to get the semanage tool so I think I'll just default the tempdir to /tmp/cobbler/buildiso instead. There were also a couple of references to the cwd on the server-side code that needed to be replaced. So I'm going to do things a little differently, but the same basic idea.
Satellite 5.6 has been released. This bug was tracked under the release. This bug was either VERIFIED or RELEASE_PENDING (re-verified prior shortly before release). Moving to CLOSED CURRENT_RELEASE. Text from Upgrade Erratum follows: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1395.html