568801 – SE alerts running RHN Sat 5.3/cobbler

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 568801 - SE alerts running RHN Sat 5.3/cobbler

Summary: SE alerts running RHN Sat 5.3/cobbler

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Other
Sub Component:
Version:	530
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan Pazdziora
QA Contact:	Jan Hutař
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	634222 sat541-blockers
TreeView+	depends on / blocked

Reported:	2010-02-26 16:32 UTC by Steve Reichard
Modified:	2011-06-17 02:41 UTC (History)
CC List:	4 users (show)
Fixed In Version:	cobbler-2.0.7-10
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-17 02:41:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Steve Reichard 2010-02-26 16:32:31 UTC

Description of problem:

Using Sat 5.3  as part of a config with SELinux permissive.

during cobbler config did perform documented steps:
# setsebool -P httpd_can_network_connect true
# semanage fcontext -a -t public_content_t "/var/lib/tftpboot/.*"

Note: Leading '/' in /var is missing in documentation.

Upon browsing for errors, can across the following:

# SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "getattr" to /images/ks-rhel-x86_64-server-5-u4/vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "getattr" to /images/ks-rhel-x86_64-server-5-u4/initrd.img (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "read" to /images/ks-rhel-x86_64-server-5-u4/vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "getattr" to /images/ks-rhel-x86_64-server-5-u4/vmlinuz (spacewalk_data_t).
# SELinux is preventing in.tftpd (tftpd_t) "read" to /images/ks-rhel-x86_64-server-5-u4/initrd.img (spacewalk_data_t). 

Version-Release number of selected component (if applicable):

Sat 5.3

How reproducible:

Unknown

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Jan Pazdziora 2010-03-01 08:12:49 UTC

Steve,

please paste or attach the output of

  # grep AVC /var/log/audit/audit.log

Thank you,

Jan

Comment 2 Jan Pazdziora 2010-06-04 08:46:27 UTC

As this is Satellite bugzilla, it cannot block Spacewalk tracker (only). Fixing.

Comment 3 Clifford Perry 2010-07-13 04:38:39 UTC

Please re-open with requested information. 

Cliff

Comment 5 Jan Pazdziora 2011-05-25 13:49:51 UTC

The root cause for this issue is the fact that by default, cobbler makes hardlink between content in /var/satellite/rhn/kickstart, /var/www/cobbler, and /var/lib/tftpboot (/tftpboot on RHEL 5).

# ls -laZ /var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/ /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/ /var/www/cobbler/images/ks-rhel-x86_64-server-6-60/
/var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/:
drwxr-xr-x. root   root   unconfined_u:object_r:cobbler_var_lib_t:s0 .
drwxr-xr-x. root   root   unconfined_u:object_r:cobbler_var_lib_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz

/var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/:
drwxr-xr-x. apache apache unconfined_u:object_r:spacewalk_data_t:s0 .
drwxr-xr-x. apache apache unconfined_u:object_r:spacewalk_data_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz

/var/www/cobbler/images/ks-rhel-x86_64-server-6-60/:
drwxr-xr-x. root   root   unconfined_u:object_r:cobbler_var_lib_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 initrd.img
-rw-r--r--. apache apache system_u:object_r:spacewalk_data_t:s0 vmlinuz

# ls -li /var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/ /var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/ /var/www/cobbler/images/ks-rhel-x86_64-server-6-60/
/var/lib/tftpboot/images/ks-rhel-x86_64-server-6-60/:
total 33032
1706764 -rw-r--r--. 3 apache apache 30031359 Sep 21  2010 initrd.img
1706765 -rw-r--r--. 3 apache apache  3791744 Sep 21  2010 vmlinuz

/var/satellite/rhn/kickstart/ks-rhel-x86_64-server-6-6.0/images/pxeboot/:
total 33032
1706764 -rw-r--r--. 3 apache apache 30031359 Sep 21  2010 initrd.img
1706765 -rw-r--r--. 3 apache apache  3791744 Sep 21  2010 vmlinuz

/var/www/cobbler/images/ks-rhel-x86_64-server-6-60/:
total 33032
1706764 -rw-r--r--. 3 apache apache 30031359 Sep 21  2010 initrd.img
1706765 -rw-r--r--. 3 apache apache  3791744 Sep 21  2010 vmlinuz

In the situation, the order in which the files are restorecon-ed matters -- if the last one restorecon-ed is /var/satellite, all the files will get spacewalk_data_t, if the last one is /var/lib/tftpboot or /var/www, all will get cobbler_var_lib_t.

The solution that we see for the problem is to prevent cobbler from using hardlinks. Cobbler uses hardlinks if the two locations are on the same filesystem. If they are not, it either symlinks or copies the files. A copy makes it possible to have different contexts for the files in question.

Comment 6 Jan Pazdziora 2011-05-25 14:03:10 UTC

Hardlinks disabled in cobbler in Satellite thirdparty, c9455273362806ae6e9d14fcbdd9da93159169f7.

Tagged and built as cobbler-2.0.7-10.

Comment 16 Clifford Perry 2011-06-17 02:41:27 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html

Note You need to log in before you can comment on or make changes to this bug.