Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 707215 - cobbler sync is blocked by selinux on rhel6
Summary: cobbler sync is blocked by selinux on rhel6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Provisioning
Version: 541
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Šimon Lukašík
URL:
Whiteboard:
Depends On:
Blocks: 634222 sat541-blockers
TreeView+ depends on / blocked
 
Reported: 2011-05-24 12:23 UTC by Petr Sklenar
Modified: 2011-06-17 02:43 UTC (History)
4 users (show)

Fixed In Version: cobbler-2.0.7-11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-17 02:43:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Petr Sklenar 2011-05-24 12:23:59 UTC 
Description of problem:
cobbler sync is blocked to create files in /var/lib/tftpboot/

Version-Release number of selected component (if applicable):
rhel6
Satellite-5.4.1-RHEL6-re20110511.0

# rpm -q cobbler
cobbler-2.0.7-8.el6sat.noarch

# rpm -qa | grep selinux
osa-dispatcher-selinux-5.9.38-1.el6sat.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
libselinux-2.0.94-5.el6.x86_64
selinux-policy-3.7.19-93.el6.noarch
oracle-instantclient-selinux-10.2.0.19-2.el6sat.noarch
spacewalk-monitoring-selinux-1.1.1-3.el6sat.noarch
spacewalk-selinux-1.2.1-5.el6sat.noarch
oracle-rhnsat-selinux-10.2.0.16-6.el6sat.noarch
libselinux-utils-2.0.94-5.el6.x86_64
oracle-instantclient-sqlplus-selinux-10.2.0.19-2.el6sat.noarch
libselinux-python-2.0.94-5.el6.x86_64
rh-tests-RHN-Satellite-Installer-Sanity-set-selinux-1.0-6.noarch
libselinux-devel-2.0.94-5.el6.x86_64
oracle-nofcontext-selinux-0.1.23.25-3.el6sat.noarch

How reproducible:
always

Steps to Reproduce:
1. cobbler sync
  
Actual results:
# cobbler sync
task started: 2011-05-24_082023_sync
task started (id=Sync, time=Tue May 24 08:20:23 2011)
running pre-sync triggers
cleaning trees
removing: /var/www/cobbler/images/ks-rhel-x86_64-server-6-61
removing: /var/www/cobbler/images/ks-rhel-x86_64-server-6-60
removing: /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c
Exception occured: <type 'exceptions.OSError'>
Exception value: [Errno 13] Permission denied: '/var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c'
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1180, in rmfile
    os.unlink(path)

Exception occured: <class 'cobbler.cexceptions.CX'>
Exception value: 'Error deleting /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c'
Exception Info:
  File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 95, in run
    rc = self._run(self)
   File "/usr/lib/python2.6/site-packages/cobbler/remote.py", line 184, in runner
    return self.remote.api.sync(self.options.get("verbose",False),logger=self.logger)
   File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 610, in sync
    return sync.run()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 109, in run
    self.clean_trees()
   File "/usr/lib/python2.6/site-packages/cobbler/action_sync.py", line 192, in clean_trees
    utils.rmtree_contents(self.pxelinux_dir,logger=self.logger)
   File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1192, in rmtree_contents
    rmtree(x,logger=logger)
   File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1197, in rmtree
    return rmfile(path,logger=logger)
   File "/usr/lib/python2.6/site-packages/cobbler/utils.py", line 1186, in rmfile
    raise CX(_("Error deleting %s") % path)

!!! TASK FAILED !!!

audit.log:

type=AVC msg=audit(1306239512.406:360431): avc:  denied  { unlink } for  pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933237 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(1306239512.407:360432): avc:  denied  { write } for  pid=2205 comm="cobblerd" name="pxelinux.cfg" dev=dm-0 ino=2493033 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.407:360432): avc:  denied  { remove_name } for  pid=2205 comm="cobblerd" name="01-00-16-3e-41-60-0c" dev=dm-0 ino=2493005 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.407:360432): avc:  denied  { unlink } for  pid=2205 comm="cobblerd" name="01-00-16-3e-41-60-0c" dev=dm-0 ino=2493005 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(1306239512.408:360433): avc:  denied  { write } for  pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-61" dev=dm-0 ino=2490463 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.408:360433): avc:  denied  { remove_name } for  pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933237 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.409:360434): avc:  denied  { rmdir } for  pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-61" dev=dm-0 ino=2490463 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.416:360435): avc:  denied  { add_name } for  pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-60" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.416:360435): avc:  denied  { create } for  pid=2205 comm="cobblerd" name="ks-rhel-x86_64-server-6-60" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.448:360436): avc:  denied  { add_name } for  pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933101 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(1306239512.448:360436): avc:  denied  { link } for  pid=2205 comm="cobblerd" name="vmlinuz" dev=dm-0 ino=933101 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(1306239512.472:360437): avc:  denied  { create } for  pid=2205 comm="cobblerd" name="01-00-16-3e-7e-0a-45" scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(1306239512.472:360437): avc:  denied  { write } for  pid=2205 comm="cobblerd" name="01-00-16-3e-7e-0a-45" dev=dm-0 ino=2491988 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file


Expected results:
 no denial

Additional info:
Comment 2 Jan Pazdziora 2011-05-25 09:52:00 UTC 
Taking.
Comment 3 Jan Pazdziora 2011-05-25 09:53:55 UTC 
How did you create the /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c file with content public_content_t?
Comment 4 Jan Pazdziora 2011-05-25 09:54:53 UTC 
(In reply to comment #3)
> How did you create the /var/lib/tftpboot/pxelinux.cfg/01-00-16-3e-41-60-0c file
> with content public_content_t?

s/ content / type /
Comment 5 Petr Sklenar 2011-05-25 10:13:31 UTC 
by:
semanage fcontext -a -t public_content_t "/var/lib/tftpboot/.*"
which is written is help

and restorecon -r /var/lib/tftpboot/ - I did for to be sure, shouldn't I do that ?
Comment 6 Šimon Lukašík 2011-05-25 10:42:42 UTC 
Jan, in the reference guide (section 11.1.4.1) there is a 

  semanage fcontext -a -t public_content_t "/tftpboot/.*"

advised, which most probably applies on rhel5. Note that on a fresh
rhel5 these is:

  # ls -ldZ /tftpboot/
  drwxr-xr-x  root root system_u:object_r:tftpdir_t /tftpboot/

On the other hand on rhel6 we have

  # ls -ldZ /var/lib/tftpboot/
  drwxr-xr-x. root root system_u:object_r:tftpdir_rw_t:s0 /var/lib/tftpboot/

In both cases, rhel5 & rhel6, the 'cobbler sync' does not tracebacks
on a fresh installed Satellite 5.4.1. (*). The ultimate question is:
 1) why we need public_content_t on rhel5
 2) whether we need it on rhel6 as well or not

If the second is not true, we need to cancel bug 706868.


(*) To be precise, on fresh rhel6, there is another unrelated AVC denial.
    During 'cobbler sync', cobblerd is writing to /var/www/cobbler.

type=AVC msg=audit(1306318466.014:523007): avc:  denied  { write } for  pid=17557 comm="cobblerd" name="cobbler" dev=dm-0 ino=1968380 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
Comment 7 Jan Pazdziora 2011-05-25 12:46:14 UTC 
With cobbler-2.0.7-9, thanks to the change that went to bug 706857, cobbler check will no longer give the ill-advice about the semanage and public_content_t.

In bug 706868 we now track the removal of this from documentation as well.

Moving to MODIFIED/ON_QA -- in general, don't do any manual changes to your Satellite, everything is supposed to work out of box.
Comment 9 Šimon Lukašík 2011-05-26 10:09:11 UTC 
Well, the AVC from comment 0, is gone with cobbler cobbler-2.0.7-10.el6sat.
On the other hand `cobbler sync' does trigger AVC denial.


type=AVC msg=audit(1306403762.292:391551): avc:  denied  { write } for  pid=24952 comm="cobblerd" name="cobbler" dev=dm-0 ino=405425 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
type=AVC msg=audit(1306403762.292:391551): avc:  denied  { remove_name } for  pid=24952 comm="cobblerd" name="pub" dev=dm-0 ino=790672 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir

# find /var -inum 790672
/var/lib/tftpboot/s390x
# find /var -inum 405425
/var/www/cobbler

Jan, I hesitate, If I should but the bugzilla to assigned or create a new.
Considering quite general name of this ticker, I'd prefer to put this
back to Assigned.
Comment 10 Jan Pazdziora 2011-05-26 11:06:49 UTC 
(In reply to comment #9)
> Well, the AVC from comment 0, is gone with cobbler cobbler-2.0.7-10.el6sat.
> On the other hand `cobbler sync' does trigger AVC denial.
> 
> 
> type=AVC msg=audit(1306403762.292:391551): avc:  denied  { write } for 
> pid=24952 comm="cobblerd" name="cobbler" dev=dm-0 ino=405425
> scontext=unconfined_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
> type=AVC msg=audit(1306403762.292:391551): avc:  denied  { remove_name } for 
> pid=24952 comm="cobblerd" name="pub" dev=dm-0 ino=790672
> scontext=unconfined_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir
> 
> # find /var -inum 790672
> /var/lib/tftpboot/s390x
> # find /var -inum 405425
> /var/www/cobbler
> 
> Jan, I hesitate, If I should but the bugzilla to assigned or create a new.
> Considering quite general name of this ticker, I'd prefer to put this
> back to Assigned.

I believe this is some sort of residue from your previous installation of the older version of cobbler.

If you switch to Permissive and run cobbler sync and let the thing actually remove the /var/www/cobbler/pub, then all subsequent cobbler sync should pass because the directory won't be there anymore.

Moving back ON_QA.
Comment 11 Šimon Lukašík 2011-05-26 12:34:45 UTC 
Thanks for clarification, Jan.

Command 'cobbler sync' in enforcing prior to the test has fixed it. Anyway,
I'll check again on a fresh installation.
Comment 12 Šimon Lukašík 2011-05-27 07:56:32 UTC 
Jan, 'cobbler sync' on a fresh installation triggers the AVC.

type=AVC msg=audit(1306482611.895:399920): avc:  denied  { write } for  pid=9419 comm="cobblerd" name="cobbler" dev=dm-0 ino=1181993 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:httpd_cobbler_content_t:s0 tclass=dir


# find /var/ -inum 1181993
/var/www/cobbler
# rpm -qf /var/www/cobbler/pub
cobbler-2.0.7-10.el6sat.noarch
# ls -laZ /var/www/cobbler/
drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:httpd_sys_content_t:s0 ..
drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 aux
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 images
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 ks_mirror
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 links
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 localmirror
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 pub
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 rendered
drwxr-xr-x. apache apache system_u:object_r:cobbler_var_lib_t:s0 repo_mirror
drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 svc
drwxr-xr-x. apache apache system_u:object_r:httpd_cobbler_content_t:s0 web
Comment 13 Jan Pazdziora 2011-05-27 14:07:09 UTC 
Thanks. Cobbler really shouldn't be removing that pub directory, especially as the cobbler rpm owns it:

# rpm -qf /var/www/cobbler/pub
cobbler-2.0.7-8.el6sat.noarch
Comment 14 Jan Pazdziora 2011-05-27 14:28:28 UTC 
Fixed in Satellite thirdparty, fb52e31ea98ce4e3de121f7ac5b0c697205c112b.

Tagged and built as cobbler-2.0.7-11.
Comment 16 Šimon Lukašík 2011-05-30 08:58:54 UTC 
Changing to Verified:

The cobbler sync does not trigger any AVC denial.
Well done!

Verified against:
cobbler-2.0.7-11.el6sat.noarch
Comment 17 Milan Zázrivec 2011-06-06 13:33:08 UTC 
Verified in stage w/ cobbler-2.0.7-11 -> release pending.
Comment 18 Clifford Perry 2011-06-17 02:43:57 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html
Note You need to log in before you can comment on or make changes to this bug.