Anton Arapov wrote:
> On Mon, Dec 15, 2008 at 08:33:24AM -0500, Michael DeHaan wrote:
>
>> Anton Arapov wrote:
>>
>>> On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
>>> [..snip..]
>>>
>>>
>>>> node=bandura.englab.brq.redhat.com type=AVC
>>>> msg=audit(1229121538.953:228):
>>>> avc: denied { read write } for pid=22082 comm="semanage"
>>>> path="socket:[96400]" dev=sockfs ino=96400
>>>> scontext=unconfined_u:unconfined_r:semanage_t:s0
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> tclass=tcp_socket , have no idea ... this hits just by adding
>>>> .call(semanage). I tried to reproduce
>>>> it in test script, and everything works just fine.
>>>>
>>>> Usually, such things solved by:
>>>> fcntl(socket, F_SETFD, FD_CLOEXEC),
>>>> but it's python, and I do not see any sockets using,... evenmore, I do not
>>>> see
>>>> why we need 'import socket' in app.py and utils.py, I think they could be
>>>> easily removed. ...
>>>>
>>>>
>>> [code]
>>> ...
>>> url = "http://%s:80/cobbler_api"; % (server)
>>> self.xmlrpc_server = ServerProxy(url)
>>> self.xmlrpc_server.get_profiles()
>>> ...
>>> [/code]
>>>
>>> xmlrpc_server is the descriptor SELinux complaints about.
>>>
>>> Not sure how to fix it. I'm not familiar well with this lib so far.
>>> Don't you know if it possible to use it 'on demand', when we need
>>> something from xmlrpc - connect and
>>> disconnect at the end of operation?
>>> -- Anton
>>>
>>>
>>>
>> Cobbler's use of xmlrpclib is no different than any other python
>> library, of which we have many that use xmlrpclib -- it probably points
>> at something fundamental that needs to be fixed in SELinux if it's
>> complaining about simple socket usage.
>>
>
> Agreed.
>
> Michal, I'm going to send the patch with semanage inside, it will
> be functional for 100%, with only complaint from SELinux. This
> benefit us, and me personally =), by working virtual machine after
> reboot.
>
> Also, it will be easier to bugreport to SELinux developers, I'll
> give them the link to koan's git with comments.
>
> Does it sound good to you?
>
>
>
>> --Michael
>>
>
>
Sounds good, send it along and I'll apply it.
Thanks!
--Michael
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
