On Mon, Dec 15, 2008 at 08:41:54AM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
>> On Mon, Dec 15, 2008 at 08:33:24AM -0500, Michael DeHaan wrote:
>>
>>> Anton Arapov wrote:
>>>
>>>> On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
>>>> [..snip..]
>>>>
>>>>> node=bandura.englab.brq.redhat.com type=AVC
>>>>> msg=audit(1229121538.953:228):
>>>>> avc: denied { read write } for pid=22082 comm="semanage"
>>>>> path="socket:[96400]" dev=sockfs ino=96400
>>>>> scontext=unconfined_u:unconfined_r:semanage_t:s0
>>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>>> tclass=tcp_socket , have no idea ... this hits just by adding
>>>>> .call(semanage). I tried to reproduce
>>>>> it in test script, and everything works just fine.
>>>>>
>>>>> Usually, such things solved by:
>>>>> fcntl(socket, F_SETFD, FD_CLOEXEC),
>>>>> but it's python, and I do not see any sockets using,... evenmore, I do
>>>>> not see
>>>>> why we need 'import socket' in app.py and utils.py, I think they could be
>>>>> easily removed. ...
>>>>>
>>>> [code]
>>>> ...
>>>> url = "http://%s:80/cobbler_api"; % (server)
>>>> self.xmlrpc_server = ServerProxy(url)
>>>> self.xmlrpc_server.get_profiles()
>>>> ...
>>>> [/code]
>>>>
>>>> xmlrpc_server is the descriptor SELinux complaints about.
>>>>
>>>> Not sure how to fix it. I'm not familiar well with this lib so far.
>>>> Don't you know if it possible to use it 'on demand', when we need
>>>> something from xmlrpc - connect and
>>>> disconnect at the end of operation?
>>>> -- Anton
>>>>
>>>>
>>> Cobbler's use of xmlrpclib is no different than any other python
>>> library, of which we have many that use xmlrpclib -- it probably
>>> points at something fundamental that needs to be fixed in SELinux if
>>> it's complaining about simple socket usage.
>>>
>>
>> Agreed.
>>
>> Michal, I'm going to send the patch with semanage inside, it will
>> be functional for 100%, with only complaint from SELinux. This
>> benefit us, and me personally =), by working virtual machine after
>> reboot.
>>
>> Also, it will be easier to bugreport to SELinux developers, I'll
>> give them the link to koan's git with comments.
>>
>> Does it sound good to you?
>>
>>> --Michael
>
> Sounds good, send it along and I'll apply it.
Yay! ... SOLVED.
when started to research how to gracefully close descriptors, and
sockets in particular, find out that sub_process already offers it
by passing to .call() option - closefds=True.
=)
--
-Anton
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
